Skip to content

feat(CLI): Add macOS binary signing using Apple Distribution certificate [SCD-129] #1002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bikmazefe wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(CLI): Add macOS binary signing using Apple Distribution certificate [SCD-129] #1002

bikmazefe wants to merge 6 commits into from

Conversation

@bikmazefe
Copy link
Member

@bikmazefe bikmazefe commented Jan 12, 2026
edited
Loading

Add macOS binary signing and notarization using Apple Distribution certificate.

@bikmazefe bikmazefe mentioned this pull request Jan 12, 2026
Closed
@bikmazefe bikmazefe marked this pull request as ready for review January 12, 2026 15:16
Copilot AI reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds macOS binary signing and notarization capabilities to the CLI release pipeline, addressing the need for distributing signed binaries through Apple's ecosystem.

Changes:

  • Implements a new bash script to automate certificate setup, binary signing, and Apple notarization
  • Refactors release.sh to remove manual GitHub release creation in favor of GitHub Actions workflows
  • Updates the release workflow to include a dedicated macOS signing job with artifact management

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
clients/cli/build/sign_and_notarize.sh New script handling certificate management, binary signing, and Apple notarization workflow
clients/cli/build/release.sh Removed manual GitHub release creation code, delegating to GitHub Actions
clients/cli/.github/workflows/release.yml Added permissions, artifact uploads, and new sign_and_notarize job orchestrating the signing pipeline

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jablan
Copy link
Collaborator

jablan commented Jan 13, 2026

@bikmazefe can this be tried with a branch push with some parts (publishing, releasing) commented out?

@bikmazefe
Copy link
Member Author

bikmazefe commented Jan 13, 2026

@bikmazefe can this be tried with a branch push with some parts (publishing, releasing) commented out?

@jablan Yeah, that's the best possible way I can also think of. I guess it wouldn't hurt having a draft release, right?

theSoenke
theSoenke reviewed Jan 14, 2026
View reviewed changes
@bikmazefe
Copy link
Member Author

bikmazefe commented Jan 15, 2026
edited
Loading

Tested and adjusted the workflow and the script as required, it's working now. See here
Screenshot 2026-01-15 at 16 21 27

Big thanks to @theSoenke for the help with the credentials!

@bikmazefe bikmazefe requested a review from theSoenke January 15, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jablan jablan Awaiting requested review from jablan

@forelabs forelabs Awaiting requested review from forelabs

@theSoenke theSoenke Awaiting requested review from theSoenke

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bikmazefe @jablan @theSoenke