Skip to content

dist: sign, notarize, and staple macOS desktop builds #63

New issue
New issue
Open
#96
Open
dist: sign, notarize, and staple macOS desktop builds#63
#96
@ibourgeois

Description

@ibourgeois
ibourgeois
opened on Mar 19, 2026

Context

As a user installing the macOS desktop app, I need Katra releases to be signed and notarized so macOS will open them without Gatekeeper warnings or manual override steps.

Acceptance Criteria

  • The macOS desktop build is signed with the appropriate Apple Developer identity.
  • Release builds are notarized with Apple.
  • The notarization ticket is stapled to the distributed app or installer artifact.
  • The release workflow fails clearly when signing or notarization breaks.

Notes

This should cover the full installability path, not only code signing.

Current blocker:

  • Apple Developer organization enrollment is still pending manual verification of authority to sign legal agreements.
  • The implementation PR is ready, but it should not be merged until the Apple account is approved and the required GitHub repository secrets can be added.

Required GitHub repository secrets:

  • MACOS_DEVELOPER_ID_APPLICATION_CERTIFICATE_P12_BASE64
  • MACOS_DEVELOPER_ID_APPLICATION_CERTIFICATE_PASSWORD
  • MACOS_NOTARY_APPLE_ID
  • MACOS_NOTARY_APP_SPECIFIC_PASSWORD
  • MACOS_NOTARY_TEAM_ID

Out of Scope

  • Windows code signing
  • Linux signing and package trust flows

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions