Skip to content

macOS Developer ID signing + notarization in CI#1

Merged
joeVenner merged 5 commits into
mainfrom
feature/macos-signing-notarization
Jun 10, 2026
Merged

macOS Developer ID signing + notarization in CI#1
joeVenner merged 5 commits into
mainfrom
feature/macos-signing-notarization

Conversation

@joeVenner

Copy link
Copy Markdown
Owner

Wires Developer ID signing + Apple notarization into the release pipeline so the macOS DMG installs without a Gatekeeper warning for everyone (and the Accessibility/Mic grants stop resetting on rebuild).

Changes

  • `bundle-macos.sh`: Developer ID + hardened-runtime signing with the audio-input entitlement when `SIGN_IDENTITY` is set; ad-hoc fallback otherwise.
  • `scripts/holler.entitlements`: `com.apple.security.device.audio-input` (required for mic under hardened runtime).
  • CI: import cert into a throwaway keychain → sign → `notarytool submit --wait` → `stapler staple` on the universal DMG. Gated on the `ENV` environment secrets; falls back to ad-hoc when unset.
  • `docs/SIGNING.md` + README/DECISIONS notes.

Validation

Tested on a branch push with the real secrets: cert import, Developer ID signing, notarization, and stapling all succeeded (after accepting the pending Apple Developer agreement). Build green on macOS arm64+x64+universal and Windows x64.

Merging this, then tagging `v0.1.1`, produces the first signed + notarized release.

…lback

When SIGN_IDENTITY is set, sign the binary with hardened runtime, the audio-
input entitlement, and a secure timestamp (the prerequisites for notarization
and for a Gatekeeper-clean install), then seal the bundle. Without it, keep the
ad-hoc path for local dev. Adds scripts/holler.entitlements.
Import the Developer ID cert into a throwaway keychain, pass SIGN_IDENTITY to
the bundler (hardened-runtime Developer ID signing), then notarize the DMG with
notarytool and staple the ticket. All steps are gated on their secrets, so
builds without the secrets configured fall back to the existing ad-hoc path and
stay green.
Add docs/SIGNING.md (Developer ID cert, the six GitHub secrets and where to get
each, release + local flows). Update the README signing note and the DECISIONS
distribution row to point at it.
The 'secrets' context isn't allowed in step if: conditions (caused an immediate
workflow-validation failure). Surface the signing secrets as job-level env and
gate the import/notarize steps on env.* instead.
The signing secrets are stored as Environment secrets (env 'ENV'); a job only
sees them if it opts into that environment. Add environment: ENV to the
universal-DMG job so the cert import + notarization steps can read them.
@joeVenner joeVenner self-assigned this Jun 10, 2026
@joeVenner joeVenner merged commit ebb72d1 into main Jun 10, 2026
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant