fix(release): notarize macOS artifacts#137
Conversation
|
Codex review: needs maintainer review before merge. Reviewed July 17, 2026, 5:34 PM ET / 21:34 UTC. Summary Reproducibility: not applicable. as a bug report: the PR includes a concrete real-release validation path, and its stated live notarization results cover both target macOS architectures. Review metrics: 2 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review detailsBest possible solution: Approve the fail-closed notarization policy only after confirming the private release environment reliably provisions the notary profile and the team accepts Apple-service availability as a release gate; retain the candidate-copy behavior so a failed submission cannot replace an existing artifact. Do we have a high-confidence way to reproduce the issue? Not applicable as a bug report: the PR includes a concrete real-release validation path, and its stated live notarization results cover both target macOS architectures. Is this the best way to solve the issue? Unclear pending maintainer policy confirmation. The candidate-copy, strict verification, and fail-closed implementation are a narrow solution if mandatory notarization and Apple availability as a release dependency are intentional. AGENTS.md: unclear because the file could not be read completely. Codex review notes: model internal, reasoning high; reviewed against d9a576d14775. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (1 earlier review cycle)
|
Summary
AcceptedApple response plus online ticket verification before replacing the original artifactNOTARYTOOL_KEYCHAIN_PROFILEis absent and preserve the original binary on any signing/notarization failureLocal proof
Real Apple notarization used a login-keychain profile supplied only through
NOTARYTOOL_KEYCHAIN_PROFILE; its value is not committed or logged in this PR.darwin/arm64anddarwin/amd64binaries.scripts/codesign-release-binary.shwith the Foundation Developer ID identity and official-release mode.Accepted;codesign --verify --strict --check-notarization -R=notarizedpassed.org.openclaw.discrawl, Team IDFWJYW4S8P8, hardened runtime, trusted timestamps, the stable Foundation designated requirement, exactarm64/x86_64slices, and version0.11.7-notary-proof.darwin_arm64_v8.0anddarwin_amd64_v1target names.darwin_amd64_v1rerun was alsoAcceptedand ticket-verified. Redundantdarwin_arm64_v8.0retries later hit Apple'sHTTPClientError.connectTimeout; the earlier arm64 proof was accepted, and every failed retry left the original scratch artifact untouched.Regression proof:
Full gate:
go test -count=1 ./... -coverprofile=...— 85.2% filtered coveragego test -count=1 -race ./...— passgo mod verify, tidy diff, govulncheck — pass; zero called vulnerabilities.agents/skills/autoreview/scripts/autoreview --mode local— clean; no accepted/actionable findings9f5d30ebd023d0dab9d982f7f47a425727026a5a— all 10 check contexts successfulRisk
Medium, release-only. Ordinary builds and non-macOS targets remain credential-free. Official macOS publication now intentionally stops when Apple notarization or online ticket verification is unavailable.