Skip to content

feat(ci): add macOS code signing and notarization #613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
YoungY620 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(ci): add macOS code signing and notarization #613

YoungY620 wants to merge 7 commits into from

Conversation

@YoungY620
Copy link
Collaborator

@YoungY620 YoungY620 commented Jan 14, 2026
edited
Loading

Related Issue

No related issue

Description

Add macOS code signing and notarization support to the release workflow. This ensures that macOS binaries distributed via GitHub releases are properly signed and notarized, eliminating Gatekeeper warnings for users.

Changes

  1. New GitHub Action (.github/actions/macos-code-sign/action.yml)

    • Reusable composite action for signing and notarizing macOS binaries
    • Handles certificate import, keychain management, code signing, and notarization
    • Includes proper cleanup of sensitive materials

  2. Updated Release Workflow (.github/workflows/release-kimi-cli.yml)

    • Setup signing certificate before PyInstaller build
    • Pass signing identity to PyInstaller via environment variable
    • Notarize the signed binary using Apple's notarytool
    • Verify signature and notarization status
    • Cleanup keychain after build

  3. Updated PyInstaller Spec (kimi.spec)

    • Read APPLE_SIGNING_IDENTITY from environment variable
    • Enable PyInstaller's built-in codesigning during build

Required Secrets

The following secrets need to be configured in the repository:

Secret Description
APPLE_CERTIFICATE_P12 Base64-encoded Developer ID Application certificate (.p12)
APPLE_CERTIFICATE_PASSWORD Password for the .p12 certificate
APPLE_NOTARIZATION_KEY_P8 Base64-encoded App Store Connect API key (.p8)
APPLE_NOTARIZATION_KEY_ID App Store Connect API Key ID
APPLE_NOTARIZATION_ISSUER_ID App Store Connect Issuer ID

Benefits

  • macOS users can run Kimi CLI without Gatekeeper warnings
  • Binary is signed with a Developer ID Application certificate
  • Binary is notarized by Apple, proving it has been scanned for malware
  • No impact on Linux/Windows builds

Checklist

  • I have read the CONTRIBUTING document.
  • I have linked the related issue, if any.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have run make gen-changelog to update the changelog.
  • I have run make gen-docs to update the user documentation.

Copilot AI review requested due to automatic review settings January 14, 2026 07:53
@YoungY620 YoungY620 requested review from stdrc and removed request for Copilot January 14, 2026 08:01
stdrc
stdrc reviewed Jan 14, 2026
View reviewed changes
Copy link
Collaborator

@stdrc stdrc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rest LGTM

kimi.spec
from kimi_cli.utils.pyinstaller import datas, hiddenimports

# Read codesign identity from environment variable (for macOS signing in CI)
codesign_identity = os.environ.get("APPLE_SIGNING_IDENTITY", None)
Copy link
Collaborator

@stdrc stdrc Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
codesign_identity = os.environ.get("APPLE_SIGNING_IDENTITY", None)
codesign_identity = os.getenv("APPLE_SIGNING_IDENTITY")

.github/workflows/release-kimi-cli.yml
Comment on lines +119 to 127
# Build with signing on macOS (APPLE_SIGNING_IDENTITY is read by kimi.spec)
- name: Build standalone binary (macOS with signing)
if: runner.os == 'macOS'
run: make build-bin

# Build without signing on other platforms
- name: Build standalone binary
if: runner.os != 'macOS'
run: make build-bin
Copy link
Collaborator

@stdrc stdrc Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems no need to have two different step?

@stdrc
Copy link
Collaborator

stdrc commented Jan 14, 2026

I'll merge this PR after we setting the secrets

@stdrc stdrc changed the title feat: add macOS code signing and notarization feat(ci): add macOS code signing and notarization Jan 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stdrc stdrc stdrc left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@YoungY620 @stdrc