4141 echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
4242 echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
4343
44+ - name : Import code signing certificate
45+ env :
46+ MACOS_CERTIFICATE_P12 : ${{ secrets.MACOS_CERTIFICATE_P12 }}
47+ MACOS_CERTIFICATE_PASSWORD : ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
48+ KEYCHAIN_PASSWORD : ${{ secrets.KEYCHAIN_PASSWORD }}
49+ run : |
50+ CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
51+ KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
52+
53+ echo -n "$MACOS_CERTIFICATE_P12" | base64 --decode -o $CERTIFICATE_PATH
54+
55+ security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
56+ security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
57+ security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
58+
59+ security import $CERTIFICATE_PATH -P "$MACOS_CERTIFICATE_PASSWORD" \
60+ -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
61+ security set-key-partition-list -S apple-tool:,apple: \
62+ -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
63+ security list-keychain -d user -s $KEYCHAIN_PATH
64+
65+ echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
66+
67+ IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | head -1 | grep -o '".*"' | tr -d '"')
68+ echo "CODESIGN_IDENTITY=$IDENTITY" >> "$GITHUB_ENV"
69+ echo "Signing identity: $IDENTITY"
70+
4471 - name : Build
4572 id : cmake_build
4673 run : |
@@ -81,6 +108,17 @@ jobs:
81108 echo "=== Binary size ==="
82109 ls -lh build/bin/llama-server
83110
111+ - name : Sign binaries
112+ run : |
113+ for bin in build/bin/llama-server build/bin/llama-cli build/bin/llama-bench build/bin/llama-perplexity; do
114+ if [ -f "$bin" ]; then
115+ echo "Signing $bin ..."
116+ codesign --force --options runtime --timestamp \
117+ --sign "$CODESIGN_IDENTITY" "$bin"
118+ codesign --verify --verbose "$bin"
119+ fi
120+ done
121+
84122 - name : Prepare release archive
85123 run : |
86124 mkdir -p release/build/bin
@@ -95,6 +133,25 @@ jobs:
95133 cd ..
96134 ls -lh llama-turboquant-macos-arm64.tar.gz
97135
136+ - name : Notarize release archive
137+ env :
138+ APPLE_ID : ${{ secrets.APPLE_ID }}
139+ APPLE_ID_PASSWORD : ${{ secrets.APPLE_ID_PASSWORD }}
140+ APPLE_TEAM_ID : ${{ secrets.APPLE_TEAM_ID }}
141+ run : |
142+ echo "Submitting for notarization..."
143+ xcrun notarytool submit llama-turboquant-macos-arm64.tar.gz \
144+ --apple-id "$APPLE_ID" \
145+ --password "$APPLE_ID_PASSWORD" \
146+ --team-id "$APPLE_TEAM_ID" \
147+ --wait --timeout 10m
148+ echo "Notarization complete"
149+
150+ - name : Clean up keychain
151+ if : always()
152+ run : |
153+ security delete-keychain $KEYCHAIN_PATH 2>/dev/null || true
154+
98155 - name : Upload artifact
99156 uses : actions/upload-artifact@v4
100157 with :
0 commit comments