Skip to content

Sign and notarize the release DMG#17

Merged
GordonBeeming merged 2 commits into
mainfrom
gb/sign-notarize-dmg
Jul 15, 2026
Merged

Sign and notarize the release DMG#17
GordonBeeming merged 2 commits into
mainfrom
gb/sign-notarize-dmg

Conversation

@GordonBeeming

@GordonBeeming GordonBeeming commented Jul 15, 2026

Copy link
Copy Markdown
Owner

Summary

  • create the release DMG from the signed application before notarization
  • sign and verify the DMG with the Developer ID certificate
  • notarize, staple, validate, and Gatekeeper-assess the final DMG before upload

Why

The release workflow notarized a temporary app ZIP, then created and uploaded an unsigned DMG. The downloadable artifact should carry its own Developer ID signature and stapled notarization ticket.

User impact

Downloaded releases have a verifiable final distribution container, reducing Gatekeeper failures on current macOS versions.

Validation

  • actionlint .github/workflows/build.yml
  • git diff --check

Summary by CodeRabbit

  • Bug Fixes
    • Improved macOS release notarization by applying Apple notarization directly to the final DMG (not just the signed app).
    • Added additional DMG notarization ticket stapling plus verification and security assessment checks to help ensure successful opening and compliance on macOS.

Copilot AI review requested due to automatic review settings July 15, 2026 10:17
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The macOS release workflow notarizes and validates the application bundle, then creates, signs, notarizes, staples, and verifies the final DMG.

Changes

DMG notarization

Layer / File(s) Summary
Application notarization
.github/workflows/build.yml
The workflow submits a temporary application archive to Apple notarization, staples the ticket, and validates the application.
DMG creation and notarization
.github/workflows/build.yml
The workflow creates and signs the DMG, submits it to Apple notarization, staples and validates the ticket, then runs hdiutil verify and spctl assessment checks.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant hdiutil
  participant AppleNotarytool
  participant Stapler
  participant spctl
  GitHubActions->>hdiutil: Create DMG from Distribution/Insomnia.app
  GitHubActions->>GitHubActions: Sign DMG with codesign
  GitHubActions->>AppleNotarytool: Submit DMG with --wait
  GitHubActions->>Stapler: Staple and validate notarization ticket
  GitHubActions->>hdiutil: Verify DMG
  GitHubActions->>spctl: Assess DMG open context
Loading

Suggested reviewers: copilot

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: signing and notarizing the release DMG.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch gb/sign-notarize-dmg

Comment @coderabbitai help to get the list of available commands.

@GordonBeeming

Copy link
Copy Markdown
Owner Author

@codex review

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the macOS release workflow to produce a signed, notarized DMG as the final distributable artifact (instead of notarizing an intermediate ZIP and uploading an unsigned DMG), improving Gatekeeper verification for downloaded releases.

Changes:

  • Combine DMG creation, DMG signing, notarization submission, stapling, and validation into a single workflow step.
  • Ensure the uploaded DMG is Developer ID–signed and has a stapled notarization ticket.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/build.yml

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f2f5a820f1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/build.yml
Copilot AI review requested due to automatic review settings July 15, 2026 10:24
@GordonBeeming

Copy link
Copy Markdown
Owner Author

@codex review

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Hooray!

Reviewed commit: 801249507f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@GordonBeeming
GordonBeeming merged commit 36da7ce into main Jul 15, 2026
6 checks passed
@GordonBeeming
GordonBeeming deleted the gb/sign-notarize-dmg branch July 15, 2026 10:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants