Skip to content

Add macOS code signing and notarization for new compiler#8867

Draft
rtfeldman wants to merge 1 commit intomainfrom
codesign
Draft

Add macOS code signing and notarization for new compiler#8867
rtfeldman wants to merge 1 commit intomainfrom
codesign

Conversation

@rtfeldman
Copy link
Copy Markdown
Contributor

@rtfeldman rtfeldman commented Jan 1, 2026

Summary

Adds code signing and notarization to the nightly new compiler workflow for macOS builds. When users download the roc binary on macOS, it will run without Gatekeeper warnings.

  • Imports Developer ID certificate into a temporary CI keychain
  • Signs the binary with hardened runtime (-o runtime)
  • Submits to Apple's notarization service and waits for approval
  • Adds documentation for required GitHub secrets in ci/MACOS_CODE_SIGNING.md

Required Secrets

Before this works, these secrets need to be configured:

  • MACOS_CERTIFICATE - Base64-encoded .p12 Developer ID certificate
  • MACOS_CERTIFICATE_PWD - Password for the .p12 file
  • MACOS_CERTIFICATE_NAME - Certificate identity name
  • MACOS_CI_KEYCHAIN_PWD - Password for temp keychain
  • APPLE_NOTARIZATION_KEY_ID - App Store Connect API key ID
  • APPLE_NOTARIZATION_ISSUER - App Store Connect issuer UUID
  • APPLE_NOTARIZATION_KEY - Private key content (.p8)

Co-authored by Claude Opus 4.5

@rtfeldman @claude
Add macOS code signing and notarization for new compiler
6365556 
Sign and notarize the roc binary for macOS builds so users can
download and run it without Gatekeeper warnings.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 1, 2026

Thank you for your contribution! Sometimes PRs end up staying open for a long time without activity, which can make the list of open PRs get long and time-consuming to review. To keep things manageable for reviewers, this bot automatically closes PRs that haven’t had activity in 60 days. This PR hasn’t had activity in 30 days, so it will be automatically closed if there is no more activity in the next 30 days. Keep in mind that PRs marked Closed are not deleted, so no matter what, the PR will still be right here in the repo. You can always access it and reopen it anytime you like!

@github-actions github-actions Bot closed this Mar 22, 2026
@lukewilliamboswell
Copy link
Copy Markdown
Collaborator

lukewilliamboswell commented Mar 22, 2026

We're gonna need this 😃

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 24, 2026

Thank you for your contribution! Sometimes PRs end up staying open for a long time without activity, which can make the list of open PRs get long and time-consuming to review. To keep things manageable for reviewers, this bot automatically closes PRs that haven’t had activity in 60 days. This PR hasn’t had activity in 30 days, so it will be automatically closed if there is no more activity in the next 30 days. Keep in mind that PRs marked Closed are not deleted, so no matter what, the PR will still be right here in the repo. You can always access it and reopen it anytime you like!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

inactive for 30 days

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rtfeldman @lukewilliamboswell