Skip to content

Add code signing and notarization for macOS app#1769

Merged
mkrnr merged 11 commits intomainfrom
notarize-macos-app
Oct 6, 2025
Merged

Add code signing and notarization for macOS app#1769
mkrnr merged 11 commits intomainfrom
notarize-macos-app

Conversation

@mkrnr
Copy link
Contributor

@mkrnr mkrnr commented Sep 22, 2025
edited
Loading

Summary of changes

Add code signing and notarization for macOS app.

Code signing and notarization can be enabled via environment variable (MACOS_NOTARIZE_ENABLED=1) and will require a number of other environment variables as well, including the certificates.

Opening the app installed with the .dmg file from this run looks like this:
image

In this run, the notarization steps were skipped which is the behavior when not pushing to main, maintenance, or a v* tag.

The tests were performed on the main environment but it's now changed to production to avoid confusion. After the PR is merged, I will delete the main environment.

Closes #1667

Pull Request Checklist

  • Changes have tests
  • News fragment added in news.d. See documentation for details

@mkrnr mkrnr marked this pull request as ready for review September 22, 2025 19:20
@mkrnr mkrnr requested a review from a team September 22, 2025 19:20
@dnaq
Copy link

dnaq commented Sep 22, 2025

I think it might be prudent to separate the different jobs into different workflow files, and only have the release jobs run triggered on changes to the main branch. This would protect somewhat against malicious pull requests leaking the contents of the macOS dev certificate/private key (e.g. if there were to be an injection point in one of the CI jobs)

@mkrnr
Copy link
Contributor Author

mkrnr commented Sep 22, 2025

Very good point! I was thinking that the PR action runs need approval but we shouldn't rely on that alone. I'll check how to best restrict the signing and notarization to main.

@dnaq
Copy link

dnaq commented Sep 22, 2025

Might be easiest to create a release environment: https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments and only allow that environment to run on the main branch and move the secrets there

@mkrnr
Copy link
Contributor Author

mkrnr commented Sep 22, 2025

Very good input! That's what I did. We already have a release environment and I'd keep that for actual tagged releases. So I added a dev and a main environment. The main environment is protected of course.

@mkrnr
Copy link
Contributor Author

mkrnr commented Sep 22, 2025

Since I'm not a fan of deploying to a dev environment all the time, I'll extract the signing and notarizing into a separate job that only runs on main, maintenance/*, and tagged refs. I'll also rename the main environment to prevent confusion, maybe to prod.

@mkrnr mkrnr marked this pull request as draft September 23, 2025 04:21
@mkrnr mkrnr marked this pull request as ready for review September 26, 2025 06:38
@mkrnr mkrnr mentioned this pull request Sep 30, 2025
Open
@mkrnr mkrnr merged commit 502c0a4 into main Oct 6, 2025
18 checks passed
@mkrnr mkrnr deleted the notarize-macos-app branch October 6, 2025 18:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Please, sign macos app

2 participants

@mkrnr @dnaq