Add Windows code-signing and macOS notarization to release workflow by lextiz · Pull Request #63 · lextiz/PostureWatch

lextiz · 2026-04-08T10:24:28Z

Prevent Windows SmartScreen and macOS Gatekeeper from marking release binaries as untrusted by signing and notarizing artifacts produced in CI.
Allow releases to be trusted by end users when repository owners provide platform signing credentials.
Keep unsigned behavior as a fallback so CI still produces artifacts when signing secrets are not configured.

Added an optional Windows Authenticode signing step in release that writes a base64 PFX from secrets.WINDOWS_CERTIFICATE_PFX_BASE64, locates signtool.exe, and signs target/release/posturewatch.exe with /fd SHA256, timestamping, and the provided password.
Added an optional macOS code-signing step in release-macos that decodes a P12 (secrets.MACOS_CERTIFICATE_P12_BASE64) into a temporary keychain and runs codesign --options runtime --timestamp using secrets.MACOS_CODESIGN_IDENTITY.
Added an optional macOS notarization step that uses xcrun notarytool submit when Apple notarization secrets (MACOS_NOTARY_APPLE_ID, MACOS_NOTARY_TEAM_ID, MACOS_NOTARY_APP_PASSWORD) are present.
All new steps are guarded by if: conditionals so they run only when the corresponding secrets are set and otherwise leave the release process unchanged.

Ran cargo fmt which succeeded.
Ran cargo clippy -- -D warnings which completed without warnings.
Ran cargo test which ran the unit test suite (46 tests) and all tests passed.
Ran cargo build which completed successfully.

Add release signing and notarization steps

69c12fc

lextiz added the codex label Apr 8, 2026 — with ChatGPT Codex Connector

lextiz added 3 commits April 8, 2026 12:52

Trigger CI for all PR targets and merge queue

db4d4c7

Run CI on all pushes to satisfy required checks

d5272c1

Rename workflow to ci for required check matching

60f5cea

Provide feedback