Skip to content

Fix macOS notarization skipped after adding second binary#1324

Merged
Soph merged 3 commits into
mainfrom
soph/fix-macos-notarize-ids
Jun 2, 2026
Merged

Fix macOS notarization skipped after adding second binary#1324
Soph merged 3 commits into
mainfrom
soph/fix-macos-notarize-ids

Conversation

@Soph
Copy link
Copy Markdown
Collaborator

@Soph Soph commented Jun 2, 2026
edited by cursor Bot
Loading

https://entire.io/gh/entireio/cli/trails/478

Problem

v0.7.0 shipped macOS binaries that Gatekeeper kills on launch. Users hit it as Homebrew completion-generation failures:

Warning: Failed to generate bash completions ... was terminated by uncaught signal KILL.

The published entire and git-remote-entire binaries are only ad-hoc/linker-signed (Signature=adhoc, TeamIdentifier=not set); spctl assessment → rejected. They were never Developer-ID signed or notarized.

Root cause

Adding git-remote-entire (#1306) gave the GoReleaser builds explicit ids (entire, git-remote-entire). The notarize.macos block has no ids: field, so GoReleaser defaults it to [project_name] = [cli] (from the module github.com/entireio/cli).

Previously the single build had no explicit id, so it also defaulted to cli — they matched by accident. Once the builds were named, nothing matched cli and the notarize pipe skipped silently while the job stayed green:

• sign & notarize macOS binaries
  • pipe skipped or partially skipped   reason=no darwin binaries found with ids cli

Fix

  • .goreleaser.yaml — pin notarize.macos.ids to both darwin builds (entire, git-remote-entire), with a comment documenting the footgun.
  • .github/workflows/release.yml — add a fail-closed guard after GoReleaser: it inspects every darwin binary in dist/ and fails the release if any lacks a Developer ID signature, or if none are found. We can't run codesign/spctl on the Linux runner, so it greps the Mach-O for the embedded signing certificate subject (Developer ID Application), which is absent from ad-hoc binaries. Gated on a signing-availability check so forks without the cert secret aren't failed.

Notes

Verification

  • Confirmed against the published entire_darwin_arm64.tar.gz: both binaries ad-hoc only, spctl rejected.
  • Traced the skip to the release run log (no darwin binaries found with ids cli).
  • Diffed the v0.7.0-tagged config vs v0.6.3 to confirm the build-id rename is the trigger.

🤖 Generated with Claude Code

Note

Low Risk
Release pipeline and GoReleaser config only; no runtime app logic, and the new check is gated on signing secrets so forks without certs are unaffected.

Overview
Restores macOS Developer ID signing and notarization for both darwin artifacts (entire, git-remote-entire) after a second named build caused GoReleaser’s notarize step to silently skip (default ids no longer matched).

In .goreleaser.yaml, notarize.macos.ids is set explicitly to entire and git-remote-entire, with a comment explaining the default-id footgun.

In .github/workflows/release.yml, a signing-availability step gates a fail-closed post-release check: when MACOS_SIGN_P12 is present, every darwin binary in dist/artifacts.json must contain an embedded Developer ID Application certificate string (grep on Linux), or the job fails with actionable errors.

Reviewed by Cursor Bugbot for commit 73584a0. Configure here.

Soph and others added 2 commits June 2, 2026 14:51
@Soph @claude
Fix macOS notarization skipped after adding second binary
f0890dc 
Adding the git-remote-entire binary (#1306) gave the goreleaser builds
explicit ids (entire, git-remote-entire). The notarize.macos block has no
ids field, so goreleaser defaults it to [project_name] = [cli]. The old
single build had no explicit id, so it also defaulted to "cli" and matched
by accident. Once the builds were named, nothing matched "cli" and the
notarize pipe skipped silently:

  • sign & notarize macOS binaries
    • pipe skipped or partially skipped  reason=no darwin binaries found with ids cli

The Release job stayed green but shipped ad-hoc/linker-signed binaries
(Signature=adhoc, TeamIdentifier=not set) that Gatekeeper kills on launch
— surfacing as Homebrew completion-generation failures (signal KILL).

Verified against the published v0.7.0 darwin arm64 archive: both binaries
ad-hoc only, spctl assessment rejected.

Pin notarize.macos.ids to both darwin builds so signing/notarization runs.
Config-only — needs a new tagged release (0.7.1) to reach users.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 733a774a9eb3
@Soph @claude
Guard release against silently-unsigned macOS binaries
73584a0 
The notarize pipe only warns (exit 0) when it matches no binaries, so a
misconfigured notarize.macos.ids ships ad-hoc-signed darwin binaries while
the Release job stays green — exactly how v0.7.0 slipped out.

Add a post-GoReleaser step that fails the release when any darwin binary in
dist/ lacks a Developer ID signature, or when none are found (fail closed).
We can't run codesign/spctl on the Linux runner, so we grep the Mach-O for
the embedded signing certificate subject ("Developer ID Application"), which
is absent from ad-hoc/linker-signed binaries. Gated on a signing-availability
check so forks without the cert secret aren't failed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 4103f66ce40b
Copilot AI review requested due to automatic review settings June 2, 2026 12:55
@Soph Soph requested a review from a team as a code owner June 2, 2026 12:55
squishykid
squishykid previously approved these changes Jun 2, 2026
View reviewed changes
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a release pipeline footgun where GoReleaser’s macOS notarization step could silently skip after introducing a second named darwin build, resulting in ad-hoc signed binaries that Gatekeeper rejects.

Changes:

  • Pin notarize.macos.ids in .goreleaser.yaml to explicitly include both darwin build IDs (entire, git-remote-entire) so the notarize pipe runs deterministically.
  • Add a post-GoReleaser guard in .github/workflows/release.yml (only when signing secrets are present) to fail the release if any darwin binary lacks a Developer ID signature, or if none are found.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.goreleaser.yaml Ensures notarization targets both macOS build IDs to prevent silent skipping.
.github/workflows/release.yml Adds a fail-closed verification step to catch unsigned macOS binaries in release artifacts.

Comment thread .goreleaser.yaml Outdated
@Soph
Potential fix for pull request finding
7e47843 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@Soph Soph enabled auto-merge June 2, 2026 13:02
@Soph Soph merged commit 0db7928 into main Jun 2, 2026
11 checks passed
@Soph Soph deleted the soph/fix-macos-notarize-ids branch June 2, 2026 13:02
@Soph Soph mentioned this pull request Jun 2, 2026
Merged
suhaanthayyil pushed a commit to suhaanthayyil/cli that referenced this pull request Jun 2, 2026
@Soph @claude
Add 0.7.2 changelog entry (macOS signing fix)
6b21894 
0.7.2 is the patch release that ships the notarization fix and the
release guard from entireio#1324, so macOS binaries are Developer ID signed and
notarized again after 0.7.0 regressed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 017b0c50d7a5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@squishykid squishykid squishykid approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Soph @squishykid