OS X notarize and GitHub release

[maoueh]

I'm trying to notarize an OSX zip file from Apple and then once notarized, uploading it to GitHub release via the standard Goreleaser flow.

To notarize, I use the signs attribute, a bit like this:

signs:
  - id: gpg
    artifacts: checksum
    args: [
      "--pinentry-mode", "loopback",
      "--passphrase", "{{ .Env.GPG_PASSPHRASE }}",
      "-u", "{{ .Env.GPG_FINGERPRINT }}",
      "--output", "${signature}",
      "--detach-sign", "${artifact}",
    ]
  - id: notarize
    artifacts: all
    signature: "${artifact}.zip"
    ids:
    - tracker-osx
    cmd: sh
    args:
      - -c
      - |
        # The Gon notarization process has no way to inject it the right final versionned packaged
        # name to notarize. So, from this "inline" script we move the package to a known file location,
        # notarize it and then we move it back to its correct location.
        #
        # Don't try to use Bash variables, it doesn't work properly (Goreleaser replaces them up-front)

        mv "dist/{{ .ProjectName }}_{{ .Version }}_macOS_x86_64.zip" dist/tracker.zip
        gon gon.notarize.hcl
        mv dist/tracker.zip dist/"{{ .ProjectName }}_{{ .Version }}_macOS_x86_64.zip"

This works great, the file is sent to Apple, its notarized by their services and come back to me, I then re-put it in place for Goreleaser next step.

But when Goreleaser reaches the GitHub release phase, it will try to upload the ${artifact}.zip which resolves to dist/checksums.txt.zip (Error is ⨯ release failed after 297.48s error=github/gitlab/gitea releases: failed to publish artifacts: failed to upload checksums.txt.zip after 1 tries: open dist/checksums.txt.zip: no such file or directory)

Of course, I could create a dummy file in bash, but how to prevent it to be uploaded?

I tried using Go template directives but they are not resolved in the signs.signature field signature: "{{ .ProjectName }}_{{ .Version }}_macOS_x86_64.zip".

So, any options here? A different workflow maybe? About this, I could notarize in the build step via my actual hook that currently only does code signing, but I had a hard time once I had the notarize zip to first name correctly with the right values or tell Goreleaser to use a different release archive file.

Anyway, for now, I disabled notarization, any suggestion/ideas is appreciated.

[caarlos0]

have your tried following this?

but in any case, seems like a bug 🤔 can you open an issue as well?