feat: ad-hoc sign macOS binaries with rcodesign (#12)

rlespinasse · claude · web-flow · commit 681466804852 · 2026-03-09T01:54:26.000+01:00
Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
@@ -53,6 +53,14 @@ jobs:
         with:
           go-version-file: go.mod
 
+      - name: Install rcodesign
+        if: inputs.dry_run || steps.check.outputs.match == 'true'
+        env:
+          RCODESIGN_VERSION: "0.27.0"
+        run: |
+          curl -fsSL "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/apple-codesign-${RCODESIGN_VERSION}-x86_64-unknown-linux-musl.tar.gz" \
+            | tar xz -C /usr/local/bin --strip-components=1 --wildcards '*/rcodesign'
+
       - name: Run GoReleaser
         if: inputs.dry_run || steps.check.outputs.match == 'true'
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -1,16 +1,35 @@
 version: 2
 
 builds:
-  - binary: ghat
+  - id: default
+    binary: ghat
     env:
       - CGO_ENABLED=0
     goos:
       - linux
-      - darwin
       - windows
     goarch:
       - amd64
       - arm64
+  - id: darwin
+    binary: ghat
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+
+signs:
+  - cmd: rcodesign
+    args:
+      - sign
+      - "${artifact}"
+    ids:
+      - darwin
+    artifacts: binary
+    output: false
 
 archives:
   - formats:
diff --git a/README.md b/README.md
@@ -10,6 +10,24 @@ A CLI toolbox for GitHub Actions utilities.
 brew install rlespinasse/tap/ghat
 ```
 
+#### macOS Gatekeeper notice
+
+On macOS, you may see a warning: _"Apple is not able to verify that it is free from malware that could harm your Mac or compromise your privacy."_
+
+This is because the binary is ad-hoc signed but not notarized by Apple.
+
+> [!NOTE]
+> Apple notarization requires a paid Apple Developer account ($99/year). It consists of an automated malware scan — not a manual security review or code audit — and does not guarantee the software is safe. Open-source projects can be verified by reviewing the source code and build pipeline directly.
+
+To allow it to run, either:
+
+- **Via System Settings (UI):** Go to **System Settings > Privacy & Security**, scroll down, and click **Open Anyway** next to the blocked app message.
+- **Via terminal:**
+
+  ```bash
+  xattr -d com.apple.quarantine $(which ghat)
+  ```
+
 ### From source
 
 ```bash
