Sign and notarize macOS release binaries#1
Conversation
There was a problem hiding this comment.
Pull request overview
Adds macOS signing + notarization to the release pipeline so Darwin artifacts are Developer ID–signed and submitted to Apple’s notary service (via GoReleaser’s embedded quill), while remaining skippable when required secrets aren’t available (e.g., local snapshot builds).
Changes:
- Add a GoReleaser
notarize.macosconfiguration block gated on required secrets. - Expose required macOS signing/notarization secrets to the GoReleaser GitHub Actions workflow step.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.goreleaser.yaml |
Adds a notarize block to sign and notarize macOS artifacts, gated by env-provided secrets. |
.github/workflows/release.yml |
Passes macOS signing/notary secrets into the GoReleaser action environment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # keeps working. | ||
| notarize: | ||
| macos: | ||
| - enabled: '{{ and (ne .Env.MACOS_SIGN_P12 "") (ne .Env.MACOS_SIGN_PASSWORD "") (ne .Env.MACOS_NOTARY_KEY "") (ne .Env.MACOS_NOTARY_KEY_ID "") (ne .Env.MACOS_NOTARY_ISSUER_ID "") }}' |
jclusso
force-pushed
the
apple-notarize
branch
2 times, most recently
from
849e181 to
908fc2e
Compare
|
Rebased onto latest |
Adds a `notarize` block that signs `darwin` binaries with the Developer ID certificate and submits them to Apple's notary service before they land in the release archives. Implementation uses `goreleaser`'s embedded `quill` signer, so it runs on the existing `ubuntu-24.04` runner — no dedicated macOS runner needed. The block is gated on `IsSnapshot`: `make release-snapshot` skips signing entirely (no secrets needed locally), while real tag builds run the full sign + notarize flow and fail loudly if any of `MACOS_SIGN_P12`, `MACOS_SIGN_PASSWORD`, `MACOS_NOTARY_KEY`, `MACOS_NOTARY_KEY_ID`, or `MACOS_NOTARY_ISSUER_ID` is missing — preferable to silently shipping unsigned binaries that trigger Gatekeeper warnings.
Adds a
notarizeblock that signsdarwinbinaries with the Developer ID certificate and submits them to Apple's notary service before they land in the release archives. Implementation usesgoreleaser's embeddedquillsigner, so it runs on the existingubuntu-24.04runner — no dedicated macOS runner needed.The block is gated on
IsSnapshot:make release-snapshotskips signing entirely (no secrets needed locally), while real tag builds run the full sign + notarize flow and fail loudly if any ofMACOS_SIGN_P12,MACOS_SIGN_PASSWORD,MACOS_NOTARY_KEY,MACOS_NOTARY_KEY_ID, orMACOS_NOTARY_ISSUER_IDis missing — preferable to silently shipping unsigned binaries that trigger Gatekeeper warnings.