tarik02 · tarik02 · Jun 13, 2026 · Jun 13, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -434,6 +434,45 @@ jobs:
             Select-Object -Unique
           "PSModulePath=$($modulePathEntries -join ';')" >> $env:GITHUB_ENV
 
+      - name: Trust macOS signing certificate
+        if: matrix.platform == 'mac'
+        shell: bash
+        env:
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+        run: |
+          if [[ -z "$CSC_LINK" || -z "$CSC_KEY_PASSWORD" ]]; then
+            echo "macOS signing certificate trust skipped (missing code-signing certificate secrets)."
+            exit 0
+          fi
+
+          cert_p12="$RUNNER_TEMP/t3code-mac-codesign.p12"
+          cert_pem="$RUNNER_TEMP/t3code-mac-codesign.pem"
+
+          if [[ "$CSC_LINK" == file://* ]]; then
+            cp "${CSC_LINK#file://}" "$cert_p12"
+          elif [[ -f "$CSC_LINK" ]]; then
+            cp "$CSC_LINK" "$cert_p12"
+          else
+            printf '%s' "$CSC_LINK" | openssl base64 -d -A -out "$cert_p12"
+          fi
+
+          openssl pkcs12 \
+            -in "$cert_p12" \
+            -passin env:CSC_KEY_PASSWORD \
+            -nokeys \
+            -clcerts \
+            -out "$cert_pem"
+
+          security add-trusted-cert \
+            -d \
+            -r trustRoot \
+            -p codeSign \
+            -k "$HOME/Library/Keychains/login.keychain-db" \
+            "$cert_pem"
+
+          echo "macOS signing certificate trusted for code signing."
+
       - name: Build desktop artifact
         shell: bash
         env:

diff --git a/AGENTS.md b/AGENTS.md
@@ -31,6 +31,7 @@ Long term maintainability is a core priority. If you add new functionality, firs
 - Keep workflow-only fork changes narrow and prefer job-level disables over broad refactors.
 - Do not commit package version bumps solely to represent fork releases.
 - Keep macOS release signing separate from Apple notarization; do not require notarization secrets just to sign updater artifacts.
+- Keep self-signed macOS signing certificate trust in the release workflow when using non-Apple signing certificates.
 - Re-check Electron updater channel behavior when changing version strings, release metadata, or desktop packaging.
 - Keep fork-only storage in `state-tarik02.sqlite` unless intentionally upstreaming it.
 - When preparing fork PRs, branch from `origin/main` and target `tarik02/t3code:main`.

diff --git a/FORK.md b/FORK.md
@@ -10,6 +10,7 @@ This repository is a fork of `pingdotgg/t3code`. Keep this file focused on fork
 - Release builds publish updater metadata against the fork repository.
 - Fork release versions are derived in the release workflow so package manifests stay close to upstream.
 - macOS release signing is separate from Apple notarization.
+- Self-signed macOS signing certificates are trusted during release builds.
 
 ### Desktop Updater Channels