quicksilver · n8henrie · Dec 16, 2025 · Oct 23, 2025 · Oct 30, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,16 +14,13 @@ on:
 jobs:
   build:
     runs-on: macos-latest
-    env:
-      QS_DONT_SIGN: 1
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Build debug version
         working-directory: Quicksilver
         run: |
-          ./Tools/codesign/setup_cert.sh
           ./Tools/qsrelease Debug
           mv /tmp/QS/build/Debug/Quicksilver{,-debug}.zip
       - name: Upload debug version
@@ -37,12 +34,7 @@ jobs:
           ./Tools/qsrelease
       - name: Prepare DMG_INGREDIENTS artifact
         working-directory: /tmp/QS/build/Release/
-        run: |
-          cp \
-            /tmp/qs_build_settings \
-            /tmp/Quicksilver.entitlements \
-            ./dmg/
-          tar -czvf ./dmg_ingredients.tar.gz ./dmg
+        run: tar -czvf ./dmg_ingredients.tar.gz ./dmg
       - name: Upload components for sign action
         uses: actions/upload-artifact@v4
         with:
@@ -53,16 +45,6 @@ jobs:
     needs: build
     runs-on: macos-latest
     if: startsWith(github.ref, 'refs/tags/v')
-    env:
-      MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-      MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
-      KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
-
-      SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
-      NOTARIZING_ID: ${{ secrets.NOTARIZING_ID }}
-      NOTARIZING_PASS: ${{ secrets.NOTARIZING_PASS }}
-
-      KEYCHAIN_PROFILE: "Quicksilver Notarization"
     steps:
       - name: Download dmg folder artifact
         uses: actions/download-artifact@v4
@@ -77,37 +59,23 @@ jobs:
             ./dmg/qs_build_settings \
             ./dmg/Quicksilver.entitlements \
             /tmp/
-          QS_INFO_VERSION=$(awk '/QS_INFO_VERSION/ { print $NF }' \
-            /tmp/qs_build_settings)
+          QS_INFO_VERSION=$(
+            awk '/QS_INFO_VERSION/ { print $NF }' /tmp/qs_build_settings
+          )
           echo "QS_INFO_VERSION=${QS_INFO_VERSION}" >> "${GITHUB_ENV}"
       - uses: actions/checkout@v4
         with:
           submodules: recursive
-      - name: Run Tools/qssign
+      - name: qssign
         working-directory: Quicksilver
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+          SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
+          NOTARIZING_ID: ${{ secrets.NOTARIZING_ID }}
+          NOTARIZING_PASS: ${{ secrets.NOTARIZING_PASS }}
         run: |
-          # https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
-          KEYCHAIN_PATH=${RUNNER_TEMP}/app-signing.keychain-db
-          CERTIFICATE_PATH=${RUNNER_TEMP}/build_certificate.p12
-          base64 --decode --output "${CERTIFICATE_PATH}" <<<"${MACOS_CERTIFICATE}"
-          trap "rm -rf -- '${RUNNER_TEMP}'" EXIT
-
-          security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
-          security default-keychain -s "${KEYCHAIN_PATH}"
-          security set-keychain-settings -lut 21600 "${KEYCHAIN_PATH}"
-
-          security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
-
-          security import "${CERTIFICATE_PATH}" \
-            -P "${MACOS_CERTIFICATE_PASSWORD}" \
-            -A -t cert -f pkcs12 -k "${KEYCHAIN_PATH}"
-          rm -- "${CERTIFICATE_PATH}"
-          xcrun notarytool store-credentials "${KEYCHAIN_PROFILE}" \
-            --apple-id "${NOTARIZING_ID}" \
-            --team-id "${SIGNING_IDENTITY}" \
-            --password "${NOTARIZING_PASS}"
-
-          ./Tools/qssign
+          ./Tools/qssign ./Quicksilver.app
       - name: Download debug artifact
         uses: actions/download-artifact@v4
         with:
@@ -135,4 +103,4 @@ jobs:
           files: |
             /tmp/QS/build/Release/Quicksilver*.dmg
             /tmp/QS/build/Release/checksum.txt
-            /tmp/Quicksilver-debug.zip
+            /tmp/Quicksilver-debug.zip
diff --git a/Quicksilver/Quicksilver.xcodeproj/project.pbxproj b/Quicksilver/Quicksilver.xcodeproj/project.pbxproj
@@ -6383,7 +6383,7 @@
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_OBJC_ARC = YES;
 				CODE_SIGN_ENTITLEMENTS = Quicksilver.entitlements;
-				CODE_SIGN_IDENTITY = "Local Self-Signed";
+				CODE_SIGN_IDENTITY = "-";
 				DEVELOPMENT_TEAM = "";
 				FRAMEWORK_SEARCH_PATHS = (
 					"$(inherited)",

diff --git a/Quicksilver/Tools/qs-build-plugin b/Quicksilver/Tools/qs-build-plugin
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+set -Eeuf -o pipefail
+
+TOOLSDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+readonly TOOLSDIR
+. "${TOOLSDIR}/utils.sh"
+
+usage() {
+  printf 'USAGE:
+  CONFIGURATION=Release Tools/build-plugin /path/to/plugin
+'
+}
+
+main() {
+  local plugin_dir=${1:-}
+  # Fail early if plugin directory doesn't exit
+  if [[ ! -d "${plugin_dir}" ]]; then
+    usage
+    err "Plugin directory '${plugin_dir}' doesn't seem to exist"
+  fi
+
+  export CONFIGURATION=${CONFIGURATION:-Debug}
+
+  # build quicksilver to provide necessary frameworks
+  pushd "$(dirname "${BASH_SOURCE[0]}")"
+  ./qsrelease
+  popd
+
+  pushd "${plugin_dir}"
+  local project=$(find . -maxdepth 1 -name '*.xcodeproj' -not -iname "*test.xcodeproj" -print -quit)
+  local scheme_list
+  if [[ -z "${project}" ]]; then
+    scheme_list=$(xcodebuild -list -json || true)
+  else
+    scheme_list=$(xcodebuild -list -json -project "${project}")
+  fi
+
+  if [[ -z "${scheme_list}" ]]; then
+    err "unable to determine scheme list"
+  fi
+
+  local scheme=$(json '["project"]["targets"][0]' <<< "${scheme_list}")
+  log "Using default scheme: ${scheme}"
+
+  # Absence of a project can still build, but will error if `-project` is specified
+  local opts=(
+    -configuration "${CONFIGURATION}"
+    -scheme "${scheme}"
+    -destination 'generic/platform=macos'
+  )
+  if [[ -n "${project}" ]]; then
+    opts+=(-project "${project}")
+  fi
+  xcodebuild build -quiet "${opts[@]}"
+
+  local settings=$(xcodebuild -configuration "${CONFIGURATION}" -showBuildSettings -json)
+  local plugin_name=$(json '[0]["buildSettings"]["FULL_PRODUCT_NAME"]' <<< "${settings}")
+  local build_dir=$(json '[0]["buildSettings"]["BUILT_PRODUCTS_DIR"]' <<< "${settings}")
+  local expected="${build_dir}/${plugin_name}"
+
+  if [[ -d "${expected}" ]]; then
+    log "Plugin successfully built to ${expected}"
+  else
+    err "Did not find built plugin at ${expected}"
+  fi
+}
+main "$@"