Make notarization resilient to transient network errors

notarytool --wait hangs indefinitely on transient HTTPS errors when
polling Apple's notary service (observed as NSURLErrorDomain -1009 in
CI). Replace it with scripts/notarize.sh which submits without --wait,
then polls notarytool info in a retry loop that tolerates network
blips. Also disable tauri-action's built-in notarization (which uses
--wait internally) and notarize/staple the .dmg manually after.

Bump to 0.2.2.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikkeldamsgaard

.github/workflows/release.yml

@@ -93,21 +93,18 @@ jobs:
             --sign "$APPLE_SIGNING_IDENTITY" "$ARTIFACT"
           codesign --verify --verbose "$ARTIFACT"
 
-          # Notarize: zip, submit, wait. Bare binaries can't be stapled, so
-          # Gatekeeper does an online check on first run instead.
-          API_KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
-          echo "$APPLE_API_KEY_BASE64" | base64 --decode > "$API_KEY_PATH"
+          # Notarize: zip the binary and submit to the notary service.
+          # Bare binaries can't be stapled, so Gatekeeper does an online check
+          # on first run instead.
+          export APPLE_API_KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
+          echo "$APPLE_API_KEY_BASE64" | base64 --decode > "$APPLE_API_KEY_PATH"
           ZIP_PATH="$RUNNER_TEMP/$ARTIFACT.zip"
           /usr/bin/ditto -c -k --keepParent "$ARTIFACT" "$ZIP_PATH"
-          xcrun notarytool submit "$ZIP_PATH" \
-            --key "$API_KEY_PATH" \
-            --key-id "$APPLE_API_KEY" \
-            --issuer "$APPLE_API_ISSUER" \
-            --wait
+          ./scripts/notarize.sh "$ZIP_PATH"
 
           # Cleanup
           security delete-keychain "$KEYCHAIN_PATH"
-          rm -f "$CERT_PATH" "$API_KEY_PATH" "$ZIP_PATH"
+          rm -f "$CERT_PATH" "$APPLE_API_KEY_PATH" "$ZIP_PATH"
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -153,29 +150,40 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
 
-      - name: Write App Store Connect API key (macOS)
-        if: runner.os == 'macOS'
-        env:
-          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
-        run: |
-          mkdir -p ~/private_keys
-          echo "$APPLE_API_KEY_BASE64" | base64 --decode > ~/private_keys/AuthKey.p8
-          echo "APPLE_API_KEY_PATH=$HOME/private_keys/AuthKey.p8" >> $GITHUB_ENV
-
       - name: Build Tauri app
         id: tauri
         uses: tauri-apps/tauri-action@v0
         env:
+          # Signing only — notarization is done manually in the next step
+          # because Tauri's built-in notarization uses `notarytool --wait`
+          # which hangs on transient network errors in CI.
           APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
           APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
           APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
-          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
-          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
           KEYCHAIN_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
         with:
           args: --target ${{ matrix.target }}
           includeUpdaterJson: false
 
+      - name: Notarize and staple DMG (macOS)
+        if: runner.os == 'macOS'
+        env:
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+        run: |
+          set -euo pipefail
+          export APPLE_API_KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
+          echo "$APPLE_API_KEY_BASE64" | base64 --decode > "$APPLE_API_KEY_PATH"
+
+          DMG=$(ls target/${{ matrix.target }}/release/bundle/dmg/*.dmg | head -n1)
+          echo "Notarizing $DMG"
+          ./scripts/notarize.sh "$DMG"
+          xcrun stapler staple "$DMG"
+          xcrun stapler validate "$DMG"
+
+          rm -f "$APPLE_API_KEY_PATH"
+
       - name: Upload desktop artifacts
         uses: actions/upload-artifact@v4
         with:

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "ralph-cli"
-version = "0.2.1"
+version = "0.2.2"
 edition = "2021"
 
 [[bin]]

crates/ralph-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ralph-core"
-version = "0.2.1"
+version = "0.2.2"
 edition = "2021"
 
 [dependencies]

crates/ralph-core/Cargo.toml

@@ -1,7 +1,7 @@
 {
   "name": "ralph-desktop",
   "private": true,
-  "version": "0.2.1",
+  "version": "0.2.2",
   "type": "module",
   "scripts": {
     "dev": "vite",

package.json

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# Submit a file to Apple's notary service and poll until it reaches a terminal
+# state, tolerating transient network errors.
+#
+# `xcrun notarytool submit --wait` hangs indefinitely on transient HTTP errors
+# (observed as NSURLErrorDomain -1009 "Internet connection appears to be
+# offline" in CI). This script submits without --wait, then polls `notarytool
+# info` in a loop that treats network failures as retryable.
+#
+# Required env vars:
+#   APPLE_API_KEY_PATH   Path to the .p8 App Store Connect API key file
+#   APPLE_API_KEY        Key ID
+#   APPLE_API_ISSUER     Issuer ID
+#
+# Usage: notarize.sh <file-to-submit>
+set -euo pipefail
+
+: "${APPLE_API_KEY_PATH:?}"
+: "${APPLE_API_KEY:?}"
+: "${APPLE_API_ISSUER:?}"
+
+if [[ $# -ne 1 ]]; then
+    echo "usage: $0 <file>" >&2
+    exit 2
+fi
+FILE="$1"
+
+notary() {
+    xcrun notarytool "$@" \
+        --key "$APPLE_API_KEY_PATH" \
+        --key-id "$APPLE_API_KEY" \
+        --issuer "$APPLE_API_ISSUER"
+}
+
+echo "Submitting $FILE to notary service..."
+SUBMIT_JSON=$(notary submit "$FILE" --output-format json)
+SUBMISSION_ID=$(echo "$SUBMIT_JSON" | /usr/bin/python3 -c 'import json,sys; print(json.load(sys.stdin)["id"])')
+echo "Submission ID: $SUBMISSION_ID"
+
+# Poll up to ~60 minutes, tolerating transient failures
+DEADLINE=$(( $(date +%s) + 3600 ))
+CONSECUTIVE_ERRORS=0
+MAX_CONSECUTIVE_ERRORS=10
+
+while true; do
+    if (( $(date +%s) > DEADLINE )); then
+        echo "Timed out waiting for notarization" >&2
+        notary log "$SUBMISSION_ID" || true
+        exit 1
+    fi
+
+    sleep 30
+
+    if INFO_JSON=$(notary info "$SUBMISSION_ID" --output-format json 2>&1); then
+        CONSECUTIVE_ERRORS=0
+        STATUS=$(echo "$INFO_JSON" | /usr/bin/python3 -c 'import json,sys; print(json.load(sys.stdin)["status"])' 2>/dev/null || echo "Unknown")
+        echo "Status: $STATUS"
+        case "$STATUS" in
+            Accepted)
+                echo "Notarization succeeded"
+                exit 0
+                ;;
+            Invalid | Rejected)
+                echo "Notarization failed: $STATUS" >&2
+                notary log "$SUBMISSION_ID" || true
+                exit 1
+                ;;
+            In\ Progress | Unknown)
+                continue
+                ;;
+            *)
+                echo "Unexpected status: $STATUS" >&2
+                continue
+                ;;
+        esac
+    else
+        CONSECUTIVE_ERRORS=$(( CONSECUTIVE_ERRORS + 1 ))
+        echo "Poll failed (attempt $CONSECUTIVE_ERRORS/$MAX_CONSECUTIVE_ERRORS): $INFO_JSON" >&2
+        if (( CONSECUTIVE_ERRORS >= MAX_CONSECUTIVE_ERRORS )); then
+            echo "Too many consecutive polling errors, giving up" >&2
+            exit 1
+        fi
+    fi
+done

scripts/notarize.sh

@@ -1,6 +1,6 @@
 [package]
 name = "ralph-desktop"
-version = "0.2.1"
+version = "0.2.2"
 description = "Ralph - Autonomous Coding Loop GUI"
 authors = ["you"]
 edition = "2021"

src-tauri/Cargo.toml

@@ -1,7 +1,7 @@
 {
   "$schema": "https://schema.tauri.app/config/2",
   "productName": "ralph-desktop",
-  "version": "0.2.1",
+  "version": "0.2.2",
   "identifier": "com.mikkeldamsgaard.ralph-desktop",
   "build": {
     "beforeDevCommand": "npm run dev",