Skip to content

Add code signing, notarization, and release workflow#86

Merged
dhilgaertner merged 1 commit intomainfrom
feature/crow-60-code-signing
Apr 6, 2026
Merged

Add code signing, notarization, and release workflow#86
dhilgaertner merged 1 commit intomainfrom
feature/crow-60-code-signing

Conversation

@dhilgaertner
Copy link
Copy Markdown
Contributor

@dhilgaertner dhilgaertner commented Apr 5, 2026
edited
Loading

Summary

  • Add Crow.entitlements with hardened runtime entitlements (allow-unsigned-executable-memory, disable-library-validation, allow-jit) — no App Sandbox since the app spawns arbitrary dev tools
  • Add scripts/sign-and-notarize.sh for codesign → DMG creation → notarization → stapling pipeline
  • Add .github/workflows/release.yml triggered on v* tags (builds GhosttyKit, bundles app, signs, notarizes, publishes DMG + CLI to GitHub Releases)
  • Update scripts/bundle.sh and scripts/generate-build-info.sh with dynamic versioning from CROW_VERSION env var / git tags
  • Add sign target to Makefile and mise.toml
  • Document release process in README and CONTRIBUTING

Required GitHub Secrets

Secret Purpose
DEVELOPER_CERTIFICATE_BASE64 Base64-encoded .p12 certificate
DEVELOPER_CERTIFICATE_PASSWORD .p12 password
DEVELOPER_ID_APPLICATION Signing identity string
APPLE_ID Apple ID for notarization
APPLE_APP_SPECIFIC_PASSWORD App-specific password for notarization
APPLE_TEAM_ID Apple Developer Team ID

Test plan

  • make build still works without signing setup (regression)
  • make release produces unsigned but functional Crow.app
  • Ad-hoc sign with codesign --sign - --entitlements Crow.entitlements --options runtime --force --deep Crow.app succeeds
  • codesign --verify --deep --strict --verbose=2 Crow.app passes
  • App launches normally after ad-hoc signing
  • Push a v*-rc.* tag to test the release workflow end-to-end once secrets are configured

Closes #60

🤖 Generated with Claude Code

@dhilgaertner @claude
Add code signing, notarization, and release workflow (#60)
f200116 
Sign and notarize the Crow app for macOS distribution so users can
install without Gatekeeper warnings. Adds entitlements for hardened
runtime (no sandbox — required for spawning arbitrary dev tools),
a signing/notarization script, DMG creation, dynamic versioning
from git tags, and a GitHub Actions release workflow triggered on
v* tags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dhilgaertner dhilgaertner force-pushed the feature/crow-60-code-signing branch from f6eb4bb to f200116 Compare April 5, 2026 23:24
@dhilgaertner dhilgaertner requested a review from dgershman as a code owner April 5, 2026 23:24
@dhilgaertner dhilgaertner merged commit 6a878fb into main Apr 6, 2026
2 checks passed
@dhilgaertner dhilgaertner deleted the feature/crow-60-code-signing branch April 6, 2026 00:24
@dhilgaertner dhilgaertner mentioned this pull request Apr 6, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgershman dgershman Awaiting requested review from dgershman dgershman is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Code signing and notarization for macOS distribution

1 participant

@dhilgaertner