Skip to content

Codesign and notarize macOS release binaries #1224

Description

@panga

What problem are you trying to solve?

nono's macOS release binaries are distributed unsigned. This causes several problems for macOS users:

  • Keychain password prompts. Unsigned binaries get a new/unstable code signing identity on each build, so macOS treats every release as a different application. Any nono component that touches Keychain items (the keystore / credential injection in nono-proxy) triggers repeated "allow access to keychain" prompts, and ACL grants don't persist across versions.
  • Gatekeeper friction. Unsigned, un-notarized binaries are blocked by Gatekeeper ("cannot be opened because the developer cannot be verified"), forcing users to right-click-open or strip the quarantine attribute manually.
  • Enterprise allowlisting. Many enterprise environments allowlist tools by code signature / Team ID (via MDM, EDR, or app allowlisting). Unsigned binaries can't be allowlisted by signature, which blocks adoption of nono in exactly the kind of locked-down environment a sandboxing tool targets.

What would you like to see?

macOS release artifacts should be codesigned with a Developer ID certificate and notarized (with the notarization ticket stapled) before publishing.

Suggested approach: add a GitHub Actions release pipeline using GoReleaser to handle cross-target builds plus signing and notarization in one place.

What have you tried instead?

Users currently work around Gatekeeper with right-click-open and re-approve Keychain prompts on every release, neither is viable for enterprise allowlisting.

How is this blocking you?

It's blocking production use of nono

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions