From 4d8912a7ca1cdc8f5ee78397b2e949adc6c9005f Mon Sep 17 00:00:00 2001 From: Jarrett Lusso Date: Tue, 26 May 2026 09:12:52 -0400 Subject: [PATCH] Sign and notarize macOS release binaries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a `notarize` block that signs `darwin` binaries with the Developer ID certificate and submits them to Apple's notary service before they land in the release archives. Implementation uses `goreleaser`'s embedded `quill` signer, so it runs on the existing `ubuntu-24.04` runner — no dedicated macOS runner needed. The block is gated on `IsSnapshot`: `make release-snapshot` skips signing entirely (no secrets needed locally), while real tag builds run the full sign + notarize flow and fail loudly if any of `MACOS_SIGN_P12`, `MACOS_SIGN_PASSWORD`, `MACOS_NOTARY_KEY`, `MACOS_NOTARY_KEY_ID`, or `MACOS_NOTARY_ISSUER_ID` is missing — preferable to silently shipping unsigned binaries that trigger Gatekeeper warnings. --- .github/workflows/release.yml | 5 +++++ .goreleaser.yaml | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2125fd1..1af20ea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,3 +49,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} + MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }} + MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }} + MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} + MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} + MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 2ba8892..30bec8b 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -75,6 +75,21 @@ nfpms: checksum: name_template: "checksums.txt" +notarize: + macos: + - enabled: '{{ not .IsSnapshot }}' + ids: + - emailable + sign: + certificate: "{{.Env.MACOS_SIGN_P12}}" + password: "{{.Env.MACOS_SIGN_PASSWORD}}" + notarize: + issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}" + key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}" + key: "{{.Env.MACOS_NOTARY_KEY}}" + wait: true + timeout: 20m + snapshot: version_template: "{{ .Tag }}-next"