Apple Code Signing for macOS Binaries in CI/CD Pipeline

[kyasbal]

Description

Currently, the macOS binaries generated and deployed by our CI/CD pipeline are neither code-signed nor notarized. On modern macOS versions, executables downloaded from the internet must be both signed with a valid Apple Developer certificate and notarized by Apple's notary service to run. Without these, macOS prevents users from opening the application, citing that the developer cannot be verified or that the software may be malicious.

To ensure a seamless and secure user experience, we need to integrate both Apple code signing and the Notarization process into our release pipeline.

Current Behavior

• Binaries for macOS are built via GitHub Actions using the make build-go-binaries command.
• These binaries are uploaded to GitHub Release drafts without digital signatures or Apple notarization.
• Users encounter macOS Gatekeeper security blocks upon attempting to run the downloaded binaries.

Expected Behavior

• macOS binaries are digitally signed during the CI/CD process.
• Signed binaries are submitted to Apple's Notarization service and "stapled" with the notarization ticket.
• Users can run the binaries on macOS without security warnings or manual intervention.

Environment

• CI/CD Platform: GitHub Actions
• Build System: Makefile-based
• Target OS: macOS (Darwin)

Implementation Suggestions

• Update the release.yaml workflow to include signing and notarization steps:

1. Import the Apple Developer Certificate (p12) using apple-actions/import-codesign-certs.
2. Sign the binaries using the codesign command-line tool.
3. Submit the signed binaries for notarization using gon or Apple's notarytool.
4. Staple the notarization ticket to the binaries/artifacts.

• Securely manage necessary credentials (Certificate, Password, App-Specific Password, and Team ID) using GitHub Secrets.