Sign and notarize the release DMG#17
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
📝 WalkthroughWalkthroughThe macOS release workflow notarizes and validates the application bundle, then creates, signs, notarizes, staples, and verifies the final DMG. ChangesDMG notarization
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant hdiutil
participant AppleNotarytool
participant Stapler
participant spctl
GitHubActions->>hdiutil: Create DMG from Distribution/Insomnia.app
GitHubActions->>GitHubActions: Sign DMG with codesign
GitHubActions->>AppleNotarytool: Submit DMG with --wait
GitHubActions->>Stapler: Staple and validate notarization ticket
GitHubActions->>hdiutil: Verify DMG
GitHubActions->>spctl: Assess DMG open context
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
@codex review |
There was a problem hiding this comment.
Pull request overview
Updates the macOS release workflow to produce a signed, notarized DMG as the final distributable artifact (instead of notarizing an intermediate ZIP and uploading an unsigned DMG), improving Gatekeeper verification for downloaded releases.
Changes:
- Combine DMG creation, DMG signing, notarization submission, stapling, and validation into a single workflow step.
- Ensure the uploaded DMG is Developer ID–signed and has a stapled notarization ticket.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f2f5a820f1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
Codex Review: Didn't find any major issues. Hooray! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Summary
Why
The release workflow notarized a temporary app ZIP, then created and uploaded an unsigned DMG. The downloadable artifact should carry its own Developer ID signature and stapled notarization ticket.
User impact
Downloaded releases have a verifiable final distribution container, reducing Gatekeeper failures on current macOS versions.
Validation
actionlint .github/workflows/build.ymlgit diff --checkSummary by CodeRabbit