ci(release): pre-import Apple cert before sidecar build#9
Merged
Conversation
Apple's notarytool rejected v0.1.8 with two errors against Contents/Resources/runtime-modules/better-sqlite3/build/Release/ better_sqlite3.node: - "The binary is not signed with a valid Developer ID certificate." - "The signature does not include a secure timestamp." Root cause: copy-runtime-modules.mjs codesigns the .node file as part of `npm run runtime-modules`, but at that point in the workflow the runner's keychain doesn't yet have the Apple Developer ID cert — tauri-action only imports it later, inside its own ephemeral keychain. PR #7's best-effort patch made the script log a warning and continue when codesign failed, which kept the build from aborting but left the .node unsigned. tauri-bundler's own codesign pass walks Contents/MacOS/ only, not Resources/, so the .node was still unsigned when notarytool inspected the .app. Fix: a new step right before "Build sidecar" mirrors tauri-action's keychain import dance, but against the runner's default login.keychain-db. By the time runtime-modules runs codesign, the identity is available with the secure-timestamp flag enabled, and notarytool accepts the resulting .app. Skipped (with explanatory log) when APPLE_CERTIFICATE secrets are absent — keeps the unsigned-build path functional. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This was referenced May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Notarization rejected v0.1.8 with [Apple log](attached error) flagging exactly one file:
```json
{
"path": ".../runtime-modules/better-sqlite3/build/Release/better_sqlite3.node",
"message": "The binary is not signed with a valid Developer ID certificate."
},
{
"path": ".../runtime-modules/better-sqlite3/build/Release/better_sqlite3.node",
"message": "The signature does not include a secure timestamp."
}
```
That's the file `copy-runtime-modules.mjs` is supposed to sign — but my PR #7 patch made it best-effort, so when the runner's keychain didn't have the cert (which it doesn't, because tauri-action imports the cert later), the script logged a warning and kept going. Tauri-bundler's own codesign pass only walks `Contents/MacOS/`, never `Resources/`, so the .node stayed unsigned.
Fix
Add a new step right before "Build sidecar" that mirrors tauri-action's keychain dance but against the runner's default `login.keychain-db`:
Skips with an explanatory log when the secrets aren't set (unsigned-build path stays functional).
When tauri-action runs later it still creates its own keychain and imports the same cert there — codesign finds the identity in either, no conflict.
Test plan
🤖 Generated with Claude Code