Release: codesign standalone macOS fips-pad artifact

crisdosaygo · crisdosaygo · commit 7e851aa5938e · 2026-02-04T19:10:18.000+08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -231,6 +231,12 @@ jobs:
           fi
           echo "Signing with: $IDENTITY"
 
+          # Sign the universal binary directly so the standalone artifact
+          # has a code signature as well (Developer ID when configured,
+          # ad-hoc signature otherwise).
+          codesign --force --timestamp --identifier "$MACOS_BUNDLE_ID" \
+            --options runtime --sign "$IDENTITY" "$BINARY"
+
           # Create .app bundle
           APP_DIR="$DIST/FIPSPad.app/Contents"
           mkdir -p "$APP_DIR/MacOS" "$APP_DIR/Resources"
@@ -451,7 +457,7 @@ jobs:
 
           Attached artifacts:
 
-          - `fips-pad` — Raw macOS universal CLI binary (unsigned installer wrapper not required).
+          - `fips-pad` — Raw macOS universal CLI binary (Developer ID signed when credentials are configured; ad-hoc signed otherwise).
           - `fipspad_darwin_universal.pkg` — macOS installer package (signed/notarized when credentials are configured).
           - `fipspad_linux_amd64` — Linux amd64 binary.
           - `fipspad_windows_amd64.exe` — Windows amd64 executable (signed when credentials are configured).
