Define macOS code signing identity via AC_APPLICATION_IDENTITY environment variable

per1234 · per1234 · commit b0a7387b1b92 · 2025-11-02T22:08:11.000-08:00
The release workflows use the "Gon" tool to sign and notarize the macOS builds.

The signing identity of the code signing certificate must be provided to the tool. Previously, this was hardcoded into
the workflows. That was not ideal because the workflows are intended to be generally applicable to any project,
including 3rd party projects which will have a different signing identity from that of Arduino's certificates.

In addition to posing an inconvenience to hard forks, the previous hardcoding also made it more difficult for community
contributors to validate changes to the release system in their fork in preparation for submitting a pull request to
Arduino's repository.

In addition to the configuration file that was previously used to configure the identity, Gon supports configuration via
environment variables. Environment variables are already used for the other certificate-specific configuration. The
reason an environment variable was not done for the identity is simply that Gon did not have support for doing so at the
time the notarization system was developed. However, it is supported from version 0.0.28.

Since this is public information, a repository variable (as opposed to the GitHub Actions secrets mechanism used by the
workflow for the non-public data) is used to configure the identity via the repository settings. This will make it
possible to run the workflow with any suitable certificate and credentials, without any changes to the workflow code.
diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml
@@ -166,7 +166,6 @@ jobs:
           bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
 
           sign {
-            application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
           }
 
           # Ask Gon for zip output to force notarization process to take place.
@@ -178,6 +177,7 @@ jobs:
 
       - name: Sign and notarize binary
         env:
+          AC_APPLICATION_IDENTITY: ${{ vars.AC_APPLICATION_IDENTITY }}
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
           AC_PROVIDER: ${{ vars.AC_PROVIDER }}
diff --git a/.github/workflows/release-go-task.yml b/.github/workflows/release-go-task.yml
@@ -166,7 +166,6 @@ jobs:
           bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
 
           sign {
-            application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
           }
 
           # Ask Gon for zip output to force notarization process to take place.
@@ -178,6 +177,7 @@ jobs:
 
       - name: Sign and notarize binary
         env:
+          AC_APPLICATION_IDENTITY: ${{ vars.AC_APPLICATION_IDENTITY }}
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
           AC_PROVIDER: ${{ vars.AC_PROVIDER }}
