Use ci-toolkit sign_and_notarize for CLI signing

[mokagio]

Test bed for Automattic/a8c-ci-toolkit-buildkite-plugin#210.

Refactors scripts/sign-and-notarize-cli to delegate signing + notarization to the new shared sign_and_notarize ci-toolkit command.

The CI run here is the real end-to-end proof that the shared command signs + notarizes a macOS binary on a Buildkite mac agent.

---

Opened by Claude (Opus 4.8) on behalf of @mokagio with approval.

[indent]

PR Summary

Replaces the hand-rolled codesign + xcrun notarytool block in scripts/sign-and-notarize-cli with a single call to the shared sign_and_notarize command from the automattic/a8c-ci-toolkit Buildkite plugin, removing duplicated cert-lookup, PEM-handling, and notarization-polling logic. The Swift build (swift build + lipo + strip) and cert delivery (fastlane set_up_signing in release-cli.sh) are intentionally unchanged; signing parameters (--options runtime --timestamp --entitlements, identity resolved by team id, IDENTITY override) are preserved by the toolkit, so the produced artifact is equivalent.

• Deleted the inline ASC API env-var check, keychain identity lookup, codesign --force/--verify/--display block, and .p8/ditto/notarytool submit --wait/log-on-failure plumbing from scripts/sign-and-notarize-cli.
• Added a command -v sign_and_notarize pre-flight guard so a missing plugin fails fast with a clear message.
• Invokes sign_and_notarize --team-id "$team_id" --entitlements "$entitlements" "$binary" after strip.
• TEMP: pinned CI_TOOLKIT_PLUGIN_VERSION in .buildkite/shared-pipeline-vars to commit SHA 6848c743aa50e332ec95809cf2c50eaf00cfcf1e on mokagio/macos-sign-and-notarize (immutable, so safe against branch deletion). Comment still asks to swap to a released toolkit tag before merging.

Issues

1 potential issue found:

• TEMP plugin pin still in place — .buildkite/shared-pipeline-vars:10 now pins CI_TOOLKIT_PLUGIN_VERSION to the commit SHA 6848c743aa50e332ec95809cf2c50eaf00cfcf1e on mokagio/macos-sign-and-notarize rather than the branch ref, which neutralizes the moving-ref risk (an SHA is immutable even if the branch is deleted). The comment still flags this as TEMP and asks to revert to a released tag (>= the version that ships sign_and_notarize) before merging — that swap is the only thing left blocking merge. → Autofix

1 issue already resolved

• Nit — the toolkit's sign_and_notarize only runs codesign --verify --strict --verbose=2, so CI logs lose the post-sign codesign --display --verbose=2 | grep Authority|TeamIdentifier|Signature|flags|Hash summary that used to confirm which Developer ID cert and team id actually got applied. Not a correctness issue, but worth either re-adding a codesign --display follow-up in this wrapper or upstreaming it to the toolkit, since it's the first thing you reach for when debugging a "wrong cert" / Gatekeeper failure.

CI Checks

All CI checks passed at commit 4e2651fd.

---

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR refactors the macOS signing and notarization workflow to delegate signing to an external sign_and_notarize command via a pinned CI toolkit plugin commit; the signing script is simplified to preflight the command, adjust repo setup, strip the binary, and invoke sign_and_notarize with team and entitlements arguments.

Changes

Signing and Notarization Delegation

Layer / File(s)	Summary
Plugin version configuration .buildkite/shared-pipeline-vars	CI_TOOLKIT_PLUGIN_VERSION is updated from 6.0.1 to a pinned commit hash 6848c743aa50e332ec95809cf2c50eaf00cfcf1e with temporary comments instructing to revert to a released tag before merging.
Script preflight and repo setup scripts/sign-and-notarize-cli	Adds an early preflight check that sign_and_notarize is available on PATH and moves repo_root computation/cd earlier; removes prior App Store Connect API key and local identity setup.
Replace local signing/notarization with external invocation scripts/sign-and-notarize-cli	After building (and creating universal binary when selected) and running strip, the script now calls sign_and_notarize --team-id ... --entitlements ... "$binary" instead of performing codesign and notarytool submission/status handling.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• beeper/platform-imessage#70: Refactors scripts/sign-and-notarize-cli to remove inline signing/notarization logic and delegate to the Buildkite plugin's external sign_and_notarize command.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: refactoring the CLI signing script to use the ci-toolkit's sign_and_notarize command instead of inline codesign/notarytool.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description clearly relates to the changeset, explaining the refactoring of sign-and-notarize-cli to use the ci-toolkit command and the temporary pin of CI_TOOLKIT_PLUGIN_VERSION.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mokagio/imessage-use-toolkit-sign-command

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[indent]

Merge blocker: plugin pinned to a moving branch ref. Buildkite resolves automattic/a8c-ci-toolkit#mokagio/macos-sign-and-notarize at run time, so once the upstream PR lands and this branch is force-pushed/rebased/deleted, the release-cli step will either start picking up unrelated changes or fail outright (the command -v sign_and_notarize guard in scripts/sign-and-notarize-cli would then trip and exit 1). Replace with a released tag (e.g. '6.0.2' or whatever ships bin/sign_and_notarize) before merging, and consider renaming the env var since CI_TOOLKIT_PLUGIN_VERSION no longer holds a version while this temp pin is in place.

[Copilot]

Pull request overview

Refactors the CLI release signing/notarization flow to delegate macOS signing + notarization to the shared sign_and_notarize command provided by the a8c-ci-toolkit Buildkite plugin, using this repo as an end-to-end CI proving ground.

Changes:

• Replace the custom codesign + notarytool logic in scripts/sign-and-notarize-cli with a single sign_and_notarize invocation (and a PATH check).
• Temporarily pin the a8c-ci-toolkit Buildkite plugin to a specific commit SHA that adds the sign_and_notarize command.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
scripts/sign-and-notarize-cli	Delegates signing/notarization to sign_and_notarize after building and stripping the CLI binary.
.buildkite/shared-pipeline-vars	Pins the CI toolkit plugin to a specific commit SHA to obtain the new signing command.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mokagio]

Safe to ignore. The "before merging" might have been a bit too eager. It would be fine to merge and follow up with a small PR that moves this to a tag.