feat(CLI): Add macOS binary signing using Apple Distribution certificate [SCD-129] #1002
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds macOS binary signing and notarization capabilities to the CLI release pipeline, addressing the need for distributing signed binaries through Apple's ecosystem.
Changes:
- Implements a new bash script to automate certificate setup, binary signing, and Apple notarization
- Refactors release.sh to remove manual GitHub release creation in favor of GitHub Actions workflows
- Updates the release workflow to include a dedicated macOS signing job with artifact management
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| clients/cli/build/sign_and_notarize.sh | New script handling certificate management, binary signing, and Apple notarization workflow |
| clients/cli/build/release.sh | Removed manual GitHub release creation code, delegating to GitHub Actions |
| clients/cli/.github/workflows/release.yml | Added permissions, artifact uploads, and new sign_and_notarize job orchestrating the signing pipeline |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "🔐 Setting up certificate and keychain..." | ||
|
|
||
| # Decode the certificate (macOS-only) | ||
| echo "$CERTIFICATE_BASE64" | /usr/bin/base64 -D > "$CERTIFICATE_PATH" |
There was a problem hiding this comment.
The certificate file is created with default permissions that may be world-readable. Set restrictive permissions (e.g., chmod 600) on the certificate file immediately after creation to prevent unauthorized access to sensitive cryptographic material.
| echo "$CERTIFICATE_BASE64" | /usr/bin/base64 -D > "$CERTIFICATE_PATH" | |
| echo "$CERTIFICATE_BASE64" | /usr/bin/base64 -D > "$CERTIFICATE_PATH" | |
| chmod 600 "$CERTIFICATE_PATH" |
| [[ "$bin" == *.tar.gz ]] && continue | ||
| zip_name="${bin}.zip" | ||
| echo "Creating ${zip_name}" | ||
| /usr/bin/zip -j -o "$zip_name" "$bin" |
There was a problem hiding this comment.
Using the -j flag removes directory structure from the zip archive, which could cause filename collisions if binaries have the same base name. Consider using relative paths without -j to preserve directory structure and prevent potential naming conflicts.
| /usr/bin/zip -j -o "$zip_name" "$bin" | |
| ( | |
| bin_dir="$(dirname "$bin")" | |
| bin_base="$(basename "$bin")" | |
| zip_base="$(basename "$zip_name")" | |
| cd "$bin_dir" | |
| /usr/bin/zip -o "$zip_base" "$bin_base" | |
| ) |
| - name: Upload signed binaries to Draft Release | ||
| uses: softprops/action-gh-release@v1 | ||
| with: | ||
| files: dist/* |
There was a problem hiding this comment.
This step uploads all files from dist/ including unsigned binaries and intermediate artifacts. The glob pattern should be more specific to only upload the final signed artifacts (e.g., '*.tar.gz' files or specifically named signed binaries) to avoid polluting the release with unnecessary files.
| files: dist/* | |
| files: dist/*.tar.gz |
| - name: Publish GitHub Release | ||
| uses: softprops/action-gh-release@v1 | ||
| with: | ||
| draft: false | ||
| name: ${{ github.ref_name }} | ||
| tag_name: ${{ github.ref_name }} |
There was a problem hiding this comment.
Publishing the release immediately after uploading signed binaries does not include any verification step. Consider adding a manual approval step or automated verification that all expected signed artifacts are present before automatically publishing the release.
Add macOS binary signing and notarization using Apple Distribution certificate.