Skip to content

feat(release): sign macOS/Windows release binaries#233

Merged
oleg-flamingocx merged 4 commits into
mainfrom
feature/sign-openframe-cli-for-macos-windows
Jul 17, 2026
Merged

feat(release): sign macOS/Windows release binaries#233
oleg-flamingocx merged 4 commits into
mainfrom
feature/sign-openframe-cli-for-macos-windows

Conversation

@oleg-flamingocx

@oleg-flamingocx oleg-flamingocx commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Description

Mirror openframe-oss-tenant signing: Developer ID codesign + notarytool
for darwin, Azure Trusted Signing (jsign 7.5) for windows. Signing runs
in GoReleaser build hooks before archiving so archives, checksums.txt
and the cosign bundle cover signed binaries; release job moves to
macos-latest. No-op outside the release workflow (OPENFRAME_SIGN gate).

test(release): verify code signatures at unit and post-publish level

Unit tests (tests/scripts, wired into UNIT_PKGS) run sign-binary.sh with
PATH stubs recording argv: OPENFRAME_SIGN gate, per-OS dispatch, exact
codesign/notarytool/jsign flags, call ordering, fail-fast on missing env.
Post-publish release jobs download published assets on real Windows/macOS
runners: Get-AuthenticodeSignature (status + timestamp) and codesign
verify + Developer ID authority check with best-effort spctl notarization
assessment.

Task

https://app.clickup.com/t/9013925967/86ajj8q56

Summary by CodeRabbit

  • New Features
    • Release automation now signs and notarizes macOS binaries, and Authenticode-signs Windows binaries, with post-publish signature and timestamp verification.
  • Documentation
    • Added a release-signing guide covering the signing/notarization process, required secrets/config, and how to verify outputs.
  • Tests
    • Expanded unit-test scope and added coverage for the signing script, including gating, platform behavior, and failure cases.

Mirror openframe-oss-tenant signing: Developer ID codesign + notarytool
for darwin, Azure Trusted Signing (jsign 7.5) for windows. Signing runs
in GoReleaser build hooks before archiving so archives, checksums.txt
and the cosign bundle cover signed binaries; release job moves to
macos-latest. No-op outside the release workflow (OPENFRAME_SIGN gate).
Unit tests (tests/scripts, wired into UNIT_PKGS) run sign-binary.sh with
PATH stubs recording argv: OPENFRAME_SIGN gate, per-OS dispatch, exact
codesign/notarytool/jsign flags, call ordering, fail-fast on missing env.
Post-publish release jobs download published assets on real Windows/macOS
runners: Get-AuthenticodeSignature (status + timestamp) and codesign
verify + Developer ID authority check with best-effort spctl notarization
assessment.
@oleg-flamingocx oleg-flamingocx self-assigned this Jul 17, 2026
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d84f8417-70d4-496d-a451-7a00d64f7947

📥 Commits

Reviewing files that changed from the base of the PR and between d1400bc and 775625d.

📒 Files selected for processing (2)
  • .github/workflows/release.yml
  • docs/development/release-signing.md
🚧 Files skipped from review as they are similar to previous changes (2)
  • docs/development/release-signing.md
  • .github/workflows/release.yml

📝 Walkthrough

Walkthrough

Release builds now sign macOS and Windows binaries through a GoReleaser hook, configure macOS certificates, verify published signatures, and document the signing process. Tests cover signing behavior with stubbed external tools.

Changes

Release signing

Layer / File(s) Summary
Platform signing script and tests
scripts/sign-binary.sh, tests/scripts/sign_binary_test.go, Makefile
Adds gated macOS and Windows signing flows, Linux skipping behavior, notarization, timestamping, validation, and command-stub tests.
macOS signing environment
.github/steps/setup-macos-signing/action.yml
Creates and unlocks a temporary keychain, imports the Apple certificate, configures access, and exports signing variables.
Release workflow integration
.github/workflows/release.yml, .goreleaser.yml
Runs signing on macOS, installs verified jsign, passes signing credentials to GoReleaser, verifies artifacts, cleans up the keychain, and checks published signatures.
Release documentation and test scope
docs/development/release-signing.md, docs/development/README.md, .github/workflows/test.yml
Documents signing and verification procedures and updates the described unit-test scope.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ReleaseWorkflow
  participant MacOSSigningAction
  participant GoReleaser
  participant SignBinaryScript
  participant PlatformTools
  ReleaseWorkflow->>MacOSSigningAction: configure certificate and keychain
  MacOSSigningAction-->>ReleaseWorkflow: export signing identity and keychain path
  ReleaseWorkflow->>GoReleaser: run release with signing environment
  GoReleaser->>SignBinaryScript: pass OS, architecture, and binary path
  SignBinaryScript->>PlatformTools: sign and verify platform binary
  SignBinaryScript->>PlatformTools: notarize macOS binary or timestamp Windows signature
  ReleaseWorkflow->>PlatformTools: verify published signatures
Loading

Suggested reviewers: ivan-flamingo

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 13.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately summarizes the main change: adding signing for macOS and Windows release binaries.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/sign-openframe-cli-for-macos-windows

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 222-224: Add an `if: failure()` cleanup job after the signature
verification jobs, with `needs` covering both verification jobs, to delete the
failed release and its tag. Ensure it runs only when either verification job
fails and uses the release/tag identifiers established by the publication
workflow.
- Around line 243-256: Bind both platform signature checks to pinned identities:
in the PowerShell Authenticode validation around $sig, require the signer
subject or another pinned certificate identity to match the expected Azure
Trusted Signing publisher; in the macOS codesign validation, additionally
require TeamIdentifier to equal the expected Apple team ID while preserving the
existing signature and Developer ID checks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d997d729-581d-450e-9157-a0aee53cc7a1

📥 Commits

Reviewing files that changed from the base of the PR and between f8574e6 and d1400bc.

📒 Files selected for processing (9)
  • .github/steps/setup-macos-signing/action.yml
  • .github/workflows/release.yml
  • .github/workflows/test.yml
  • .goreleaser.yml
  • Makefile
  • docs/development/README.md
  • docs/development/release-signing.md
  • scripts/sign-binary.sh
  • tests/scripts/sign_binary_test.go

Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml
…cation

Post-publish checks now require the actual publisher, not just any
trusted one: Authenticode subject must contain "Flamingo AI, Inc.",
codesign TeamIdentifier must be F7LDSU8JPJ (both extracted from signed
openframe-oss-tenant artifacts). A verification failure now triggers a
cleanup job that deletes the release and tag (gated on the release job
having succeeded, which handles its own rollback). Windows asset
download gets retries so a network blip can't yank a valid release.
@oleg-flamingocx
oleg-flamingocx enabled auto-merge (squash) July 17, 2026 13:55
@oleg-flamingocx
oleg-flamingocx merged commit 7418a7e into main Jul 17, 2026
9 checks passed
@oleg-flamingocx
oleg-flamingocx deleted the feature/sign-openframe-cli-for-macos-windows branch July 17, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants