Skip to content

Commit 1cc2ea1

Browse files
committed
feat: add Apple code signing and notarization to macOS CI
Import Developer ID certificate from secrets, sign all binaries with hardened runtime + timestamp, and submit the archive to Apple notarytool for notarization. Cleans up temporary keychain on completion. Made-with: Cursor
1 parent 7c01058 commit 1cc2ea1

1 file changed

Lines changed: 57 additions & 0 deletions

File tree

.github/workflows/build-turboquant-macos.yml

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,33 @@ jobs:
4141
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
4242
echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
4343
44+
- name: Import code signing certificate
45+
env:
46+
MACOS_CERTIFICATE_P12: ${{ secrets.MACOS_CERTIFICATE_P12 }}
47+
MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
48+
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
49+
run: |
50+
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
51+
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
52+
53+
echo -n "$MACOS_CERTIFICATE_P12" | base64 --decode -o $CERTIFICATE_PATH
54+
55+
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
56+
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
57+
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
58+
59+
security import $CERTIFICATE_PATH -P "$MACOS_CERTIFICATE_PASSWORD" \
60+
-A -t cert -f pkcs12 -k $KEYCHAIN_PATH
61+
security set-key-partition-list -S apple-tool:,apple: \
62+
-k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
63+
security list-keychain -d user -s $KEYCHAIN_PATH
64+
65+
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
66+
67+
IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | head -1 | grep -o '".*"' | tr -d '"')
68+
echo "CODESIGN_IDENTITY=$IDENTITY" >> "$GITHUB_ENV"
69+
echo "Signing identity: $IDENTITY"
70+
4471
- name: Build
4572
id: cmake_build
4673
run: |
@@ -81,6 +108,17 @@ jobs:
81108
echo "=== Binary size ==="
82109
ls -lh build/bin/llama-server
83110
111+
- name: Sign binaries
112+
run: |
113+
for bin in build/bin/llama-server build/bin/llama-cli build/bin/llama-bench build/bin/llama-perplexity; do
114+
if [ -f "$bin" ]; then
115+
echo "Signing $bin ..."
116+
codesign --force --options runtime --timestamp \
117+
--sign "$CODESIGN_IDENTITY" "$bin"
118+
codesign --verify --verbose "$bin"
119+
fi
120+
done
121+
84122
- name: Prepare release archive
85123
run: |
86124
mkdir -p release/build/bin
@@ -95,6 +133,25 @@ jobs:
95133
cd ..
96134
ls -lh llama-turboquant-macos-arm64.tar.gz
97135
136+
- name: Notarize release archive
137+
env:
138+
APPLE_ID: ${{ secrets.APPLE_ID }}
139+
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
140+
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
141+
run: |
142+
echo "Submitting for notarization..."
143+
xcrun notarytool submit llama-turboquant-macos-arm64.tar.gz \
144+
--apple-id "$APPLE_ID" \
145+
--password "$APPLE_ID_PASSWORD" \
146+
--team-id "$APPLE_TEAM_ID" \
147+
--wait --timeout 10m
148+
echo "Notarization complete"
149+
150+
- name: Clean up keychain
151+
if: always()
152+
run: |
153+
security delete-keychain $KEYCHAIN_PATH 2>/dev/null || true
154+
98155
- name: Upload artifact
99156
uses: actions/upload-artifact@v4
100157
with:

0 commit comments

Comments
 (0)