Skip to content

Commit 8348466

Browse files
authored
separate mac signing from notarization (#26)
1 parent c0e7d49 commit 8348466

3 files changed

Lines changed: 13 additions & 5 deletions

File tree

.github/workflows/release.yml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -469,14 +469,20 @@ jobs:
469469
}
470470
471471
if [[ "${{ matrix.platform }}" == "mac" ]]; then
472-
if has_all "$CSC_LINK" "$CSC_KEY_PASSWORD" "$APPLE_API_KEY" "$APPLE_API_KEY_ID" "$APPLE_API_ISSUER"; then
473-
key_path="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
474-
printf '%s' "$APPLE_API_KEY" > "$key_path"
475-
export APPLE_API_KEY="$key_path"
472+
if has_all "$CSC_LINK" "$CSC_KEY_PASSWORD"; then
473+
if has_all "$APPLE_API_KEY" "$APPLE_API_KEY_ID" "$APPLE_API_ISSUER"; then
474+
key_path="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
475+
printf '%s' "$APPLE_API_KEY" > "$key_path"
476+
export APPLE_API_KEY="$key_path"
477+
echo "macOS notarization enabled."
478+
else
479+
unset APPLE_API_KEY APPLE_API_KEY_ID APPLE_API_ISSUER
480+
echo "macOS notarization disabled (missing one or more Apple notarization secrets)."
481+
fi
476482
echo "macOS signing enabled."
477483
args+=(--signed)
478484
else
479-
echo "macOS signing disabled (missing one or more Apple signing secrets)."
485+
echo "macOS signing disabled (missing code-signing certificate secrets)."
480486
fi
481487
elif [[ "${{ matrix.platform }}" == "win" ]]; then
482488
if has_all \

AGENTS.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ Long term maintainability is a core priority. If you add new functionality, firs
3030
- When making fork-only changes, update `FORK.md` in the same change so future upstream merges have current context.
3131
- Keep workflow-only fork changes narrow and prefer job-level disables over broad refactors.
3232
- Do not commit package version bumps solely to represent fork releases.
33+
- Keep macOS release signing separate from Apple notarization; do not require notarization secrets just to sign updater artifacts.
3334
- Re-check Electron updater channel behavior when changing version strings, release metadata, or desktop packaging.
3435
- Keep fork-only storage in `state-tarik02.sqlite` unless intentionally upstreaming it.
3536
- When preparing fork PRs, branch from `origin/main` and target `tarik02/t3code:main`.

FORK.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ This repository is a fork of `pingdotgg/t3code`. Keep this file focused on fork
99
- Fork workflows disable scheduled releases, relay jobs, hosted deploys, and fork-unsafe publish paths.
1010
- Release builds publish updater metadata against the fork repository.
1111
- Fork release versions are derived in the release workflow so package manifests stay close to upstream.
12+
- macOS release signing is separate from Apple notarization.
1213

1314
### Desktop Updater Channels
1415

0 commit comments

Comments
 (0)