Problem
macOS Gatekeeper blocks release binaries that are not signed with an Apple Developer ID certificate and notarized through Apple's service. Users who download a binary from the Releases page see:
"Apple could not verify 'kwelea' is free of malware that may harm your Mac or compromise your privacy."
The CI workflow cross-compiles macOS binaries on ubuntu-latest, which makes signing impossible without stored credentials.
Workaround (documented)
Users can clear the quarantine attribute manually after downloading:
xattr -d com.apple.quarantine /usr/local/bin/kwelea
Or right-click in Finder → Open → Open. Users with Go installed can also use go install to bypass Gatekeeper entirely.
This workaround is now documented in the Installation page.
Desired solution
Sign and notarize the darwin-amd64 and darwin-arm64 binaries in the CI release workflow using an Apple Developer ID Application certificate.
What's needed
- An Apple Developer account ($99/year)
- A Developer ID Application certificate exported as a
.p12 file
- An App Store Connect API key (for notarization via
notarytool)
- The following secrets added to the repo:
APPLE_DEVELOPER_ID_CERT — base64-encoded .p12APPLE_DEVELOPER_ID_CERT_PASSWORDAPPLE_NOTARIZATION_KEY — base64-encoded App Store Connect API key (.p8)APPLE_NOTARIZATION_KEY_IDAPPLE_NOTARIZATION_ISSUER_ID
Implementation sketch
In .github/workflows/ci.yml, add a post-build step for darwin targets that:
- Imports the certificate into a temporary keychain
- Signs the binary:
codesign --sign "Developer ID Application: ..." --options runtime
- Zips and submits for notarization:
xcrun notarytool submit ... --wait
- Staples the ticket (not applicable to standalone binaries — notarization is sufficient)
Tools: codesign and xcrun notarytool require a macOS runner, so the darwin builds must move from ubuntu-latest to macos-latest.
Problem
macOS Gatekeeper blocks release binaries that are not signed with an Apple Developer ID certificate and notarized through Apple's service. Users who download a binary from the Releases page see:
The CI workflow cross-compiles macOS binaries on
ubuntu-latest, which makes signing impossible without stored credentials.Workaround (documented)
Users can clear the quarantine attribute manually after downloading:
Or right-click in Finder → Open → Open. Users with Go installed can also use
go installto bypass Gatekeeper entirely.This workaround is now documented in the Installation page.
Desired solution
Sign and notarize the
darwin-amd64anddarwin-arm64binaries in the CI release workflow using an Apple Developer ID Application certificate.What's needed
.p12filenotarytool)APPLE_DEVELOPER_ID_CERT— base64-encoded.p12APPLE_DEVELOPER_ID_CERT_PASSWORDAPPLE_NOTARIZATION_KEY— base64-encoded App Store Connect API key (.p8)APPLE_NOTARIZATION_KEY_IDAPPLE_NOTARIZATION_ISSUER_IDImplementation sketch
In
.github/workflows/ci.yml, add a post-build step for darwin targets that:codesign --sign "Developer ID Application: ..." --options runtimexcrun notarytool submit ... --waitTools:
codesignandxcrun notarytoolrequire a macOS runner, so the darwin builds must move fromubuntu-latesttomacos-latest.