Skip to content

Refactor script/sign: add comprehensive env validation and improve error handling #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 2 commits into
base: trunk
Choose a base branch
from
Open

Refactor script/sign: add comprehensive env validation and improve error handling #12

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ade4cbd
Initial plan
Copilot Feb 8, 2026
394fed1
Improve script/sign with better error handling and bash best practices
Copilot Feb 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 26 additions & 9 deletions script/sign
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,34 @@
# usage: script/sign <file>
#
# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool
#

set -e

sign_macos() {
if [[ -z "$APPLE_DEVELOPER_ID" ]]; then
echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
return 0
required_env_vars=("APPLE_DEVELOPER_ID" "APPLE_ID" "APPLE_ID_PASSWORD")

check_env_vars() {
local missing=()
for var in "${required_env_vars[@]}"; do
if [[ -z "${!var}" ]]; then
missing+=("$var")
fi
done
if (( ${#missing[@]} )); then
echo "Error: Missing required environment variables: ${missing[*]}" >&2
exit 1
fi
}

if [[ $1 == *.zip ]]; then
xcrun notarytool submit "$1" --apple-id "${APPLE_ID?}" --team-id "${APPLE_DEVELOPER_ID?}" --password "${APPLE_ID_PASSWORD?}"
sign_macos() {
local input_file="$1"
if [[ $input_file == *.zip ]]; then
xcrun notarytool submit "$input_file" \
--apple-id "${APPLE_ID}" \
--team-id "${APPLE_DEVELOPER_ID}" \
--password "${APPLE_ID_PASSWORD}"
else
codesign --timestamp --options=runtime -s "${APPLE_DEVELOPER_ID?}" -v "$1"
codesign --timestamp --options=runtime \
-s "${APPLE_DEVELOPER_ID}" -v "$input_file"
fi
}

Expand All @@ -29,6 +44,8 @@ if [[ $platform != "Darwin" ]]; then
exit 1
fi

for input_file; do
check_env_vars
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Validate notarization vars only for zip inputs

Running check_env_vars unconditionally here makes APPLE_ID and APPLE_ID_PASSWORD mandatory even when every input is a non-zip file that only reaches the codesign branch. That is a functional regression from the prior behavior, where non-zip signing only depended on APPLE_DEVELOPER_ID, and it breaks binary-only signing workflows (for example local signing setups without notarization credentials).

Useful? React with 👍 / 👎.


for input_file in "$@"; do
sign_macos "$input_file"
done
Loading