feat(release): sign macOS/Windows release binaries#233
Conversation
Mirror openframe-oss-tenant signing: Developer ID codesign + notarytool for darwin, Azure Trusted Signing (jsign 7.5) for windows. Signing runs in GoReleaser build hooks before archiving so archives, checksums.txt and the cosign bundle cover signed binaries; release job moves to macos-latest. No-op outside the release workflow (OPENFRAME_SIGN gate).
Unit tests (tests/scripts, wired into UNIT_PKGS) run sign-binary.sh with PATH stubs recording argv: OPENFRAME_SIGN gate, per-OS dispatch, exact codesign/notarytool/jsign flags, call ordering, fail-fast on missing env. Post-publish release jobs download published assets on real Windows/macOS runners: Get-AuthenticodeSignature (status + timestamp) and codesign verify + Developer ID authority check with best-effort spctl notarization assessment.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughRelease builds now sign macOS and Windows binaries through a GoReleaser hook, configure macOS certificates, verify published signatures, and document the signing process. Tests cover signing behavior with stubbed external tools. ChangesRelease signing
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant ReleaseWorkflow
participant MacOSSigningAction
participant GoReleaser
participant SignBinaryScript
participant PlatformTools
ReleaseWorkflow->>MacOSSigningAction: configure certificate and keychain
MacOSSigningAction-->>ReleaseWorkflow: export signing identity and keychain path
ReleaseWorkflow->>GoReleaser: run release with signing environment
GoReleaser->>SignBinaryScript: pass OS, architecture, and binary path
SignBinaryScript->>PlatformTools: sign and verify platform binary
SignBinaryScript->>PlatformTools: notarize macOS binary or timestamp Windows signature
ReleaseWorkflow->>PlatformTools: verify published signatures
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 222-224: Add an `if: failure()` cleanup job after the signature
verification jobs, with `needs` covering both verification jobs, to delete the
failed release and its tag. Ensure it runs only when either verification job
fails and uses the release/tag identifiers established by the publication
workflow.
- Around line 243-256: Bind both platform signature checks to pinned identities:
in the PowerShell Authenticode validation around $sig, require the signer
subject or another pinned certificate identity to match the expected Azure
Trusted Signing publisher; in the macOS codesign validation, additionally
require TeamIdentifier to equal the expected Apple team ID while preserving the
existing signature and Developer ID checks.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: d997d729-581d-450e-9157-a0aee53cc7a1
📒 Files selected for processing (9)
.github/steps/setup-macos-signing/action.yml.github/workflows/release.yml.github/workflows/test.yml.goreleaser.ymlMakefiledocs/development/README.mddocs/development/release-signing.mdscripts/sign-binary.shtests/scripts/sign_binary_test.go
…cation Post-publish checks now require the actual publisher, not just any trusted one: Authenticode subject must contain "Flamingo AI, Inc.", codesign TeamIdentifier must be F7LDSU8JPJ (both extracted from signed openframe-oss-tenant artifacts). A verification failure now triggers a cleanup job that deletes the release and tag (gated on the release job having succeeded, which handles its own rollback). Windows asset download gets retries so a network blip can't yank a valid release.
Description
Mirror openframe-oss-tenant signing: Developer ID codesign + notarytool
for darwin, Azure Trusted Signing (jsign 7.5) for windows. Signing runs
in GoReleaser build hooks before archiving so archives, checksums.txt
and the cosign bundle cover signed binaries; release job moves to
macos-latest. No-op outside the release workflow (OPENFRAME_SIGN gate).
test(release): verify code signatures at unit and post-publish level
Task
https://app.clickup.com/t/9013925967/86ajj8q56
Summary by CodeRabbit