Skip to content

fix(release): notarize macOS artifacts#137

Merged
steipete merged 1 commit into
mainfrom
fix/macos-notarization
Jul 17, 2026
Merged

fix(release): notarize macOS artifacts#137
steipete merged 1 commit into
mainfrom
fix/macos-notarization

Conversation

@steipete

@steipete steipete commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • notarize both GoReleaser macOS binaries after hardened-runtime Developer ID signing
  • require an Accepted Apple response plus online ticket verification before replacing the original artifact
  • fail closed when NOTARYTOOL_KEYCHAIN_PROFILE is absent and preserve the original binary on any signing/notarization failure
  • verify notarization tickets and hardened-runtime metadata again from published macOS archives
  • document the private runtime profile contract and add 0.11.7 release-infrastructure notes

Local proof

Real Apple notarization used a login-keychain profile supplied only through NOTARYTOOL_KEYCHAIN_PROFILE; its value is not committed or logged in this PR.

  • Built scratch darwin/arm64 and darwin/amd64 binaries.
  • Ran scripts/codesign-release-binary.sh with the Foundation Developer ID identity and official-release mode.
  • Both submissions returned Accepted; codesign --verify --strict --check-notarization -R=notarized passed.
  • Both artifacts reported identifier org.openclaw.discrawl, Team ID FWJYW4S8P8, hardened runtime, trusted timestamps, the stable Foundation designated requirement, exact arm64 / x86_64 slices, and version 0.11.7-notary-proof.
  • Final matcher tests exercise GoReleaser's actual darwin_arm64_v8.0 and darwin_amd64_v1 target names.
  • An exact committed darwin_amd64_v1 rerun was also Accepted and ticket-verified. Redundant darwin_arm64_v8.0 retries later hit Apple's HTTPClientError.connectTimeout; the earlier arm64 proof was accepted, and every failed retry left the original scratch artifact untouched.

Regression proof:

go test ./scripts -run 'Test(CodesignReleaseBinary|VerifyMacOSRelease|ReleaseSigned)' -count=1 -v
PASS

Full gate:

  • go test -count=1 ./... -coverprofile=... — 85.2% filtered coverage
  • go test -count=1 -race ./... — pass
  • golangci-lint, vet, staticcheck, deadcode, gofumpt, gosec — pass
  • go mod verify, tidy diff, govulncheck — pass; zero called vulnerabilities
  • GoReleaser snapshot — six archives; both real suffixed Darwin hooks exercised in credential-free snapshot mode
  • gitleaks git/directory scans and shell syntax — pass
  • Docker build plus binary/help/git smoke — pass
  • .agents/skills/autoreview/scripts/autoreview --mode local — clean; no accepted/actionable findings
  • hosted CI on exact head 9f5d30ebd023d0dab9d982f7f47a425727026a5a — all 10 check contexts successful

Risk

Medium, release-only. Ordinary builds and non-macOS targets remain credential-free. Official macOS publication now intentionally stops when Apple notarization or online ticket verification is unavailable.

@steipete
steipete requested a review from a team as a code owner July 17, 2026 21:26
@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. labels Jul 17, 2026
@clawsweeper

clawsweeper Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed July 17, 2026, 5:34 PM ET / 21:34 UTC.

Summary
The branch signs both GoReleaser macOS binaries with hardened runtime, notarizes them through Apple, verifies tickets before publishing, and documents the private notary-profile release requirement.

Reproducibility: not applicable. as a bug report: the PR includes a concrete real-release validation path, and its stated live notarization results cover both target macOS architectures.

Review metrics: 2 noteworthy metrics.

  • Release surfaces: 6 files affected; 326 added, 18 removed. The change is focused on signing, verification, release documentation, and their regression coverage rather than general runtime behavior.
  • Hosted checks: 10 successful check contexts. The exact PR head has passed the available release, test, analysis, and security automation.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P0] Confirm the private-profile provisioning and Apple-outage policy before merge.

Risk before merge

  • [P1] Official macOS publication will now stop if the private NOTARYTOOL_KEYCHAIN_PROFILE is not provisioned or Apple’s online notarization/ticket service is unavailable, so release operators need explicit agreement on this fail-closed policy.
  • [P1] The new macOS-only release dependency must be available in the private release environment before the next production tag; ordinary and non-macOS builds remain unaffected by the stated design.

Maintainer options:

  1. Confirm the release contract before merge (recommended)
    Verify that the managed macOS release environment supplies the private notary profile and explicitly accept that Apple ticket verification can block publication.
  2. Pause mandatory enforcement
    Keep the current signing workflow until maintainers define a supported outage or credential-provisioning policy for official macOS releases.

Next step before merge

  • [P2] A human must approve the intentional release-blocking behavior and private-profile operational contract; there is no narrow mechanical repair to dispatch.

Maintainer decision needed

  • Question: Should official macOS releases be intentionally blocked when the private Apple notarization profile is missing or Apple ticket verification is unavailable?
  • Rationale: This is a deliberate operator and release-availability policy change, not a mechanical correctness question; automation cannot decide the acceptable tradeoff between notarized distribution and the ability to ship during an Apple-service outage.
  • Likely owner: steipete — They authored the release-workflow change and are the collaborator identified in the PR context as the closest available owner for its operational contract.
  • Options:
    • Adopt fail-closed notarization (recommended): Approve the PR’s policy after confirming the managed release environment has the private profile and operators accept Apple availability as a required release dependency.
    • Keep signing without mandatory notarization: Preserve the existing signing-only release path and defer mandatory notarization until the release process has an approved fallback policy.

Security
Cleared: The supplied diff hardens signing and notarization without adding third-party execution, widening permissions, or exposing the private keychain profile value.

Review details

Best possible solution:

Approve the fail-closed notarization policy only after confirming the private release environment reliably provisions the notary profile and the team accepts Apple-service availability as a release gate; retain the candidate-copy behavior so a failed submission cannot replace an existing artifact.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug report: the PR includes a concrete real-release validation path, and its stated live notarization results cover both target macOS architectures.

Is this the best way to solve the issue?

Unclear pending maintainer policy confirmation. The candidate-copy, strict verification, and fail-closed implementation are a narrow solution if mandatory notarization and Apple availability as a release dependency are intentional.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model internal, reasoning high; reviewed against d9a576d14775.

Label changes

Label changes:

  • add proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides after-fix real Apple notarization and ticket-verification results for both macOS architectures, plus targeted regression and full-gate results; private credential values are stated to remain uncommitted and unlogged.

Label justifications:

  • P2: This is a bounded release-infrastructure hardening change with a meaningful but macOS-release-only operator impact.
  • merge-risk: 🚨 compatibility: Existing official macOS release environments without the new private notary profile will fail rather than continue with signing only.
  • merge-risk: 🚨 availability: Apple notarization and online ticket verification become required dependencies for publishing official macOS artifacts.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body provides after-fix real Apple notarization and ticket-verification results for both macOS architectures, plus targeted regression and full-gate results; private credential values are stated to remain uncommitted and unlogged.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides after-fix real Apple notarization and ticket-verification results for both macOS architectures, plus targeted regression and full-gate results; private credential values are stated to remain uncommitted and unlogged.
Evidence reviewed

What I checked:

  • PR implementation surface: The provided PR diff adds notarization and post-publication ticket verification to the release signing and verification scripts, with focused matcher and failure-path coverage. (scripts/codesign-release-binary.sh, 9f5d30ebd023)
  • Real release behavior proof: The PR body reports real Developer ID signing and Apple Accepted notarization for both Darwin architectures, followed by strict ticket verification; it also states that failed retries left the original artifact untouched. (scripts/codesign-release-binary.sh, 9f5d30ebd023)
  • Automated validation: The supplied GitHub context reports all 10 check contexts successful on the exact head, including release checks, tests, static analysis, secrets scanning, and CodeQL. (9f5d30ebd023)
  • Release-policy change: The branch requires NOTARYTOOL_KEYCHAIN_PROFILE for official macOS release execution and fails closed on absent credentials, failed notarization, or failed online ticket verification. (scripts/release-signed.sh, 9f5d30ebd023)

Likely related people:

  • steipete: The collaborator authored the single release-hardening commit and requested review; they are the strongest available routing contact for the intended release workflow and credential-provisioning contract. (role: release-change author and collaborator; confidence: high; commits: 9f5d30ebd023; files: scripts/codesign-release-binary.sh, scripts/release-signed.sh, scripts/verify-macos-release.sh)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (1 earlier review cycle)
  • reviewed 2026-07-17T21:29:06.281Z sha 9f5d30e :: needs maintainer review before merge. :: none

@clawsweeper clawsweeper Bot added the proof: sufficient Contributor real behavior proof is sufficient. label Jul 17, 2026
@steipete
steipete merged commit 9ec4892 into main Jul 17, 2026
10 checks passed
@steipete
steipete deleted the fix/macos-notarization branch July 17, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P2 Normal priority bug or improvement with limited blast radius. proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant