From 76b5fb2b12b75a40070d4d6a84a982afb00e5920 Mon Sep 17 00:00:00 2001
From: tarik02 <taras.fomin@gmail.com>
Date: Sun, 14 Jun 2026 00:14:36 +0300
Subject: [PATCH] trust mac signing cert in release workflow

---
 .github/workflows/release.yml | 39 +++++++++++++++++++++++++++++++++++
 AGENTS.md                     |  1 +
 FORK.md                       |  1 +
 3 files changed, 41 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2995ef3d27a..b520daded76 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -434,6 +434,45 @@ jobs:
             Select-Object -Unique
           "PSModulePath=$($modulePathEntries -join ';')" >> $env:GITHUB_ENV
 
+      - name: Trust macOS signing certificate
+        if: matrix.platform == 'mac'
+        shell: bash
+        env:
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+        run: |
+          if [[ -z "$CSC_LINK" || -z "$CSC_KEY_PASSWORD" ]]; then
+            echo "macOS signing certificate trust skipped (missing code-signing certificate secrets)."
+            exit 0
+          fi
+
+          cert_p12="$RUNNER_TEMP/t3code-mac-codesign.p12"
+          cert_pem="$RUNNER_TEMP/t3code-mac-codesign.pem"
+
+          if [[ "$CSC_LINK" == file://* ]]; then
+            cp "${CSC_LINK#file://}" "$cert_p12"
+          elif [[ -f "$CSC_LINK" ]]; then
+            cp "$CSC_LINK" "$cert_p12"
+          else
+            printf '%s' "$CSC_LINK" | openssl base64 -d -A -out "$cert_p12"
+          fi
+
+          openssl pkcs12 \
+            -in "$cert_p12" \
+            -passin env:CSC_KEY_PASSWORD \
+            -nokeys \
+            -clcerts \
+            -out "$cert_pem"
+
+          security add-trusted-cert \
+            -d \
+            -r trustRoot \
+            -p codeSign \
+            -k "$HOME/Library/Keychains/login.keychain-db" \
+            "$cert_pem"
+
+          echo "macOS signing certificate trusted for code signing."
+
       - name: Build desktop artifact
         shell: bash
         env:
diff --git a/AGENTS.md b/AGENTS.md
index d2a7559acba..3a833a39e83 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -31,6 +31,7 @@ Long term maintainability is a core priority. If you add new functionality, firs
 - Keep workflow-only fork changes narrow and prefer job-level disables over broad refactors.
 - Do not commit package version bumps solely to represent fork releases.
 - Keep macOS release signing separate from Apple notarization; do not require notarization secrets just to sign updater artifacts.
+- Keep self-signed macOS signing certificate trust in the release workflow when using non-Apple signing certificates.
 - Re-check Electron updater channel behavior when changing version strings, release metadata, or desktop packaging.
 - Keep fork-only storage in `state-tarik02.sqlite` unless intentionally upstreaming it.
 - When preparing fork PRs, branch from `origin/main` and target `tarik02/t3code:main`.
diff --git a/FORK.md b/FORK.md
index 1c904ade83d..71981dc1eb4 100644
--- a/FORK.md
+++ b/FORK.md
@@ -10,6 +10,7 @@ This repository is a fork of `pingdotgg/t3code`. Keep this file focused on fork
 - Release builds publish updater metadata against the fork repository.
 - Fork release versions are derived in the release workflow so package manifests stay close to upstream.
 - macOS release signing is separate from Apple notarization.
+- Self-signed macOS signing certificates are trusted during release builds.
 
 ### Desktop Updater Channels