macOS Release
macOS Release
Section titled “macOS Release”Public macOS releases are produced by the GitHub Actions release workflow on tag or through workflow_dispatch.
Signed and notarized build
Section titled “Signed and notarized build”The workflow runs npm run package:signed:mac:all to produce Intel and Apple Silicon DMGs. Before packaging, scripts/prepare-runtime-config.mjs writes resources/config/default.json from GitHub variables and secrets: API URL, remote logging, and Better Stack settings when enabled.
CI imports the Developer ID Application certificate, enables Hardened Runtime through electron-builder, applies explicit entitlements, signs the app and DMG, then starts Apple notarization with notarytool. After notarization, the ticket is stapled to the DMG.
Release checks
Section titled “Release checks”The workflow verifies signing identity, DMG signature, Gatekeeper acceptance when available, mounted app signature, expected Team ID, stapled ticket validation, app Gatekeeper acceptance, and release artifacts.
The same checks can be run locally on macOS with:
npm run verify:macThe CI workflow may skip DMG Gatekeeper checks on hosted runners when spctl --type open returns Insufficient Context for an otherwise signed DMG. It still verifies the DMG signature, mounted app signature, expected Team ID, stapled ticket, and Gatekeeper acceptance of the app.
A signed release must contain Resources/config/default.json with a non-empty apiBaseUrl. When OBSCURA_FLOW_REMOTE_LOGGING_ENABLED=true, the same file must enable remoteLogging and contain the ingestion endpoint.