Skip to content

ci: add macOS code signing for CLI binary (#42)#91

Open
tamtom wants to merge 1 commit intomainfrom
feat/42-macos-signing
Open

ci: add macOS code signing for CLI binary (#42)#91
tamtom wants to merge 1 commit intomainfrom
feat/42-macos-signing

Conversation

@tamtom
Copy link
Owner

@tamtom tamtom commented Feb 15, 2026

Summary

  • Add sign-macos job to the release workflow that signs macOS binaries (amd64 + arm64) with an Apple Developer ID certificate
  • Import certificate from GitHub Secrets into a temporary keychain, sign with codesign --force --options runtime --timestamp, and verify signatures
  • Optionally notarize binaries via xcrun notarytool when Apple ID secrets are configured (conditional on APPLE_ID being set)
  • Signed artifacts overwrite the unsigned ones so the release job publishes signed binaries
  • Linux and Windows builds are completely unaffected

Required Secrets

Secret Description
APPLE_CERTIFICATE_P12 Base64-encoded Developer ID Application certificate
APPLE_CERTIFICATE_PASSWORD Password for the .p12 file
APPLE_SIGNING_IDENTITY e.g., Developer ID Application: Name (TEAM_ID)
APPLE_ID Apple ID email (optional, for notarization)
APPLE_TEAM_ID Apple Developer Team ID (optional, for notarization)
APPLE_APP_PASSWORD App-specific password (optional, for notarization)

Test plan

  • Verify workflow YAML is valid (no syntax errors)
  • Add the three required signing secrets and trigger a tag push to test the signing job
  • Confirm codesign --verify passes in the workflow logs
  • Download the signed binary and verify locally with codesign -dvv gplay-darwin-arm64
  • Confirm macOS Gatekeeper does not show warnings when running the signed binary
  • Optionally add notarization secrets and verify xcrun notarytool submit succeeds
  • Confirm Linux and Windows artifacts are still produced correctly

Closes #42

🤖 Generated with Claude Code

Add a sign-macos job that runs after build to sign darwin/amd64 and
darwin/arm64 binaries with an Apple Developer ID certificate. This
eliminates Gatekeeper warnings for macOS users. The job imports the
certificate into a temporary keychain, signs with hardened runtime,
verifies the signature, and optionally notarizes via xcrun notarytool
when Apple ID secrets are configured. The release job now depends on
sign-macos to ensure only signed binaries are published.

Closes #42

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add macOS code signing for CLI binary in release workflow

1 participant