Sign and notarize macOS builds; bump to 0.2.1

The desktop app is now signed and notarized via tauri-action.
The CLI binary is signed with hardened runtime and notarized via
notarytool (no stapling — bare binaries can't carry tickets, so
Gatekeeper does an online check on first launch).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikkeldamsgaard

.github/workflows/release.yml

@@ -62,6 +62,53 @@ jobs:
         if: runner.os == 'Windows'
         run: cp target/${{ matrix.target }}/release/ralph.exe ${{ matrix.artifact }}.exe
 
+      - name: Sign and notarize (macOS)
+        if: runner.os == 'macOS'
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+          ARTIFACT: ${{ matrix.artifact }}
+        run: |
+          set -euo pipefail
+
+          # Create a temporary keychain and import the signing certificate
+          KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db"
+          KEYCHAIN_PASSWORD=$(uuidgen)
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          CERT_PATH="$RUNNER_TEMP/cert.p12"
+          echo "$APPLE_CERTIFICATE" | base64 --decode > "$CERT_PATH"
+          security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
+
+          # Sign the binary with hardened runtime and a secure timestamp
+          codesign --force --options runtime --timestamp \
+            --sign "$APPLE_SIGNING_IDENTITY" "$ARTIFACT"
+          codesign --verify --verbose "$ARTIFACT"
+
+          # Notarize: zip, submit, wait. Bare binaries can't be stapled, so
+          # Gatekeeper does an online check on first run instead.
+          API_KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
+          echo "$APPLE_API_KEY_BASE64" | base64 --decode > "$API_KEY_PATH"
+          ZIP_PATH="$RUNNER_TEMP/$ARTIFACT.zip"
+          /usr/bin/ditto -c -k --keepParent "$ARTIFACT" "$ZIP_PATH"
+          xcrun notarytool submit "$ZIP_PATH" \
+            --key "$API_KEY_PATH" \
+            --key-id "$APPLE_API_KEY" \
+            --issuer "$APPLE_API_ISSUER" \
+            --wait
+
+          # Cleanup
+          security delete-keychain "$KEYCHAIN_PATH"
+          rm -f "$CERT_PATH" "$API_KEY_PATH" "$ZIP_PATH"
+
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -106,9 +153,25 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
 
+      - name: Write App Store Connect API key (macOS)
+        if: runner.os == 'macOS'
+        env:
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+        run: |
+          mkdir -p ~/private_keys
+          echo "$APPLE_API_KEY_BASE64" | base64 --decode > ~/private_keys/AuthKey.p8
+          echo "APPLE_API_KEY_PATH=$HOME/private_keys/AuthKey.p8" >> $GITHUB_ENV
+
       - name: Build Tauri app
         id: tauri
         uses: tauri-apps/tauri-action@v0
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          KEYCHAIN_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
         with:
           args: --target ${{ matrix.target }}
           includeUpdaterJson: false
@@ -144,9 +207,8 @@ jobs:
           name: v${{ steps.version.outputs.version }}
           generate_release_notes: true
           body: |
-            ## macOS CLI notice
-            macOS may block the CLI binary with a Gatekeeper warning. To fix, run:
-            ```
-            xattr -d com.apple.quarantine <path-to-binary>
-            ```
+            ## macOS notes
+            The desktop app (`.dmg`) and CLI binaries are signed and notarized
+            with a Developer ID. macOS will check Apple's notary service
+            online on first launch — no manual `xattr` workaround needed.
           files: artifacts/**/*

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "ralph-cli"
-version = "0.2.0"
+version = "0.2.1"
 edition = "2021"
 
 [[bin]]

crates/ralph-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ralph-core"
-version = "0.2.0"
+version = "0.2.1"
 edition = "2021"
 
 [dependencies]

crates/ralph-core/Cargo.toml

@@ -1,7 +1,7 @@
 {
   "name": "ralph-desktop",
   "private": true,
-  "version": "0.2.0",
+  "version": "0.2.1",
   "type": "module",
   "scripts": {
     "dev": "vite",

package.json

@@ -1,6 +1,6 @@
 [package]
 name = "ralph-desktop"
-version = "0.2.0"
+version = "0.2.1"
 description = "Ralph - Autonomous Coding Loop GUI"
 authors = ["you"]
 edition = "2021"

src-tauri/Cargo.toml

@@ -1,7 +1,7 @@
 {
   "$schema": "https://schema.tauri.app/config/2",
   "productName": "ralph-desktop",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "identifier": "com.mikkeldamsgaard.ralph-desktop",
   "build": {
     "beforeDevCommand": "npm run dev",