build: sign macos release binaries

.github/workflows/release.yml

@@ -48,6 +48,27 @@ jobs:
           RELEASE_TAG: ${{ inputs.tag }}
         run: git checkout "$RELEASE_TAG"
 
+      - name: Import macOS signing certificate
+        if: ${{ secrets.MACOS_SIGNING_CERT_BASE64 != '' }}
+        env:
+          MACOS_SIGNING_CERT_BASE64: ${{ secrets.MACOS_SIGNING_CERT_BASE64 }}
+          MACOS_SIGNING_CERT_PASSWORD: ${{ secrets.MACOS_SIGNING_CERT_PASSWORD }}
+        run: |
+          set -euo pipefail
+          KEYCHAIN="build.keychain"
+          KEYCHAIN_PASSWORD="$(uuidgen)"
+
+          echo "$MACOS_SIGNING_CERT_BASE64" | base64 --decode > /tmp/codesign.p12
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+          security default-keychain -s "$KEYCHAIN"
+          security list-keychains -d user -s "$KEYCHAIN"
+
+          security import /tmp/codesign.p12 -k "$KEYCHAIN" -P "$MACOS_SIGNING_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+
       - name: GoReleaser
         uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
         with:
@@ -56,3 +77,4 @@ jobs:
           args: release --clean --config /tmp/.goreleaser.yaml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GOG_CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}

.goreleaser.yaml

@@ -34,16 +34,21 @@ builds:
     targets:
       - darwin_amd64
       - darwin_arm64
+    hooks:
+      post:
+        - ./scripts/codesign-macos.sh "{{ .Path }}"
 
 archives:
-  - builds:
+  - ids:
       - gog
       - gog_darwin
-    format: tar.gz
+    formats:
+      - tar.gz
     name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     format_overrides:
       - goos: windows
-        format: zip
+        formats:
+          - zip
 
 checksum:
   name_template: checksums.txt

docs/RELEASING.md

@@ -24,6 +24,10 @@ Assumptions:
 - Go toolchain installed (Go version comes from `go.mod`).
 - `make` works locally.
 - Access to the tap repo (e.g. `steipete/homebrew-tap`).
+- For signed macOS release binaries (recommended): GitHub Actions secrets set:
+  - `MACOS_SIGNING_CERT_BASE64` (base64-encoded `.p12`)
+  - `MACOS_SIGNING_CERT_PASSWORD`
+  - `MACOS_CODESIGN_IDENTITY` (e.g. `Developer ID Application: …`)
 
 ## 1) Verify build is green
 ```sh
@@ -71,7 +75,14 @@ gh workflow run release.yml -f tag=vX.Y.Z
 ## 5) Update (or add) the Homebrew formula
 In the tap repo (assumed sibling at `../homebrew-tap`), create/update `Formula/gogcli.rb`.
 
-Recommended formula shape (build-from-source, no binary assets needed):
+Recommended formula shape (download GitHub release assets; preserves macOS code signature):
+- `version "X.Y.Z"`
+- `url "https://github.com/steipete/gogcli/releases/download/vX.Y.Z/gogcli_X.Y.Z_darwin_arm64.tar.gz"` (or `darwin_amd64`)
+- `sha256 "<sha256>"`
+- Install:
+  - `bin.install "gog"`
+
+Alternative (build-from-source; macOS binary will be ad-hoc signed, which can trigger repeated Keychain prompts with `KeychainTrustApplication`):
 - `version "X.Y.Z"`
 - `url "https://github.com/steipete/gogcli/archive/refs/tags/vX.Y.Z.tar.gz"`
 - `sha256 "<sha256>"`

scripts/codesign-macos.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+BIN="${1:-}"
+if [[ -z "$BIN" ]]; then
+  echo "usage: $0 <path-to-binary>" >&2
+  exit 2
+fi
+
+if [[ "$(uname -s)" != "Darwin" ]]; then
+  exit 0
+fi
+
+IDENTITY="${GOG_CODESIGN_IDENTITY:-${CODESIGN_IDENTITY:-}}"
+if [[ -z "$IDENTITY" ]]; then
+  echo "codesign: skipped (set GOG_CODESIGN_IDENTITY or CODESIGN_IDENTITY)" >&2
+  exit 0
+fi
+
+ID="com.steipete.gogcli.gog"
+
+codesign --force --sign "$IDENTITY" --timestamp --options runtime --identifier "$ID" "$BIN"
+codesign --verify --deep --strict --verbose=2 "$BIN"