Skip to content

Use ci-toolkit sign_and_notarize for CLI signing #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mokagio wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Use ci-toolkit sign_and_notarize for CLI signing #100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
be2f271
Use ci-toolkit sign_and_notarize for signing
mokagio Jun 8, 2026
b0a120e
TEMP: pin ci-toolkit to sign_and_notarize branch
mokagio Jun 8, 2026
00f9d6f
Pin CI toolkit to commit
mokagio Jun 9, 2026
4e2651f
Remove verbose AI comment
mokagio Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .buildkite/shared-pipeline-vars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@
# rendered pipeline. Keeps plugin pins and the agent image id out of the
# pipeline.yml itself.

CI_TOOLKIT_PLUGIN_VERSION='6.0.1'
# TEMPORARY: pinned to a commit on the `mokagio/macos-sign-and-notarize` branch
# adding the macOS `sign_and_notarize` command. Revert to a released tag
# (>= the version that ships it) before merging.
CI_TOOLKIT_PLUGIN_VERSION='6848c743aa50e332ec95809cf2c50eaf00cfcf1e'
Comment on lines +7 to +10

@mokagio mokagio Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Safe to ignore. The "before merging" might have been a bit too eager. It would be fine to merge and follow up with a small PR that moves this to a tag.

NVM_PLUGIN_VERSION='0.6.0'
XCODE_VERSION=$(sed -E 's/^~> ?//' .xcode-version)

Expand Down
80 changes: 5 additions & 75 deletions scripts/sign-and-notarize-cli
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,38 +49,15 @@ case "$arch" in
;;
esac

key_id="${APP_STORE_CONNECT_API_KEY_KEY_ID-}"
issuer_id="${APP_STORE_CONNECT_API_KEY_ISSUER_ID-}"
key_pem="${APP_STORE_CONNECT_API_KEY_KEY-}"

if [ -z "$key_id" ] || [ -z "$issuer_id" ] || [ -z "$key_pem" ]; then
printf >&2 "missing API key env: set APP_STORE_CONNECT_API_KEY_{KEY_ID,ISSUER_ID,KEY}\n"
# This comes from CI toolkit
if ! command -v sign_and_notarize >/dev/null 2>&1; then
printf >&2 "sign_and_notarize not on PATH (provided by the a8c-ci-toolkit plugin)\n"
exit 1
fi

repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$repo_root"

# Resolve the codesigning identity from the keychain by team id so the
# script works for any Developer ID cert, not just the hardcoded org name.
# `IDENTITY` env var bypasses the lookup if you need to force a specific cert.
identity="${IDENTITY:-}"
if [ -z "$identity" ]; then
identity="$(security find-identity -v -p codesigning | awk -v team="(${team_id})" '
/Developer ID Application:/ && index($0, team) {
sub(/^[^"]*"/, "")
sub(/"[^"]*$/, "")
print
exit
}
')"
fi
if [ -z "$identity" ]; then
printf >&2 "no Developer ID Application identity for team %s in keychain\n" "$team_id"
printf >&2 "(set IDENTITY=... to override)\n"
exit 1
fi

entitlements="$repo_root/scripts/imessage-cli.entitlements"
cli_swift_flags=(-Xswiftc -DIMESSAGE_DISABLE_PRIVATE_SPI_ASSETS)

Expand Down Expand Up @@ -110,57 +87,10 @@ else
fi

printf "==> stripping debug symbols\n"
# strip must happen before codesign — stripping invalidates an existing
# strip must happen before signing — stripping invalidates an existing
# signature, and the release asset shrinks meaningfully without it
strip "$binary"

printf "==> codesigning %s\n" "$binary"
codesign --force \
--options runtime \
--timestamp \
--entitlements "$entitlements" \
--sign "$identity" \
"$binary"

printf "==> verifying codesign\n"
codesign --verify --strict --verbose=2 "$binary"
codesign --display --verbose=2 "$binary" 2>&1 | grep -E "Authority|TeamIdentifier|Signature|flags|Hash" || true

work="$(mktemp -d)"
trap 'rm -rf "$work"' EXIT

p8="$work/AuthKey_${key_id}.p8"
# the env var stores the PEM with `\n` as literal backslash-n; %b decodes
# the escapes into real newlines. Trailing \n is required — notarytool
# rejects PEM that doesn't end with a newline as `invalidPEMDocument`
printf '%b\n' "$key_pem" > "$p8"
chmod 600 "$p8"

zip_path="$work/imessage-cli.zip"
ditto -c -k "$binary" "$zip_path"

printf "==> submitting to notarytool (this can take a few minutes)\n"
submit_json="$work/submit.json"
xcrun notarytool submit "$zip_path" \
--key "$p8" \
--key-id "$key_id" \
--issuer "$issuer_id" \
--wait \
--output-format json \
> "$submit_json"

cat "$submit_json"
printf "\n"

status="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))["status"])' "$submit_json")"
submission_id="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))["id"])' "$submit_json")"

if [ "$status" != "Accepted" ]; then
printf >&2 "==> notarization status: %s — fetching log\n" "$status"
xcrun notarytool log "$submission_id" \
--key "$p8" --key-id "$key_id" --issuer "$issuer_id"
exit 1
fi
sign_and_notarize --team-id "$team_id" --entitlements "$entitlements" "$binary"
Comment thread
indent[bot] marked this conversation as resolved.

printf "==> notarization accepted (id=%s)\n" "$submission_id"
printf "==> signed binary at: %s\n" "$binary"