From 6ebbf1303180de9017cc587637f6519b75c25462 Mon Sep 17 00:00:00 2001 From: Forketyfork Date: Wed, 11 Mar 2026 17:21:36 +0100 Subject: [PATCH] fix(release): restore ad-hoc signing for macOS bundles Architect release artifacts stopped launching after the workflow switched from ad-hoc bundle signing to fully unsigned bundles. Clearing quarantine was no longer enough because Finder and LaunchServices rejected app bundles that were not signed at all. Switch the release workflow back to the bundle script's ad-hoc signing path and rename the release assets accordingly. Update the release documentation to explain that GitHub downloads are ad-hoc signed for local launch, but still not Developer ID signed or notarized. --- .github/workflows/release.yaml | 10 +++++----- README.md | 15 ++++++++------- docs/development.md | 6 +++--- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9e82e77..0351d0a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -72,22 +72,22 @@ jobs: - name: Bundle libraries and package run: | chmod +x scripts/bundle-macos.sh - ./scripts/bundle-macos.sh zig-out/bin/architect release --unsigned + ./scripts/bundle-macos.sh zig-out/bin/architect release cd release - tar -czf architect-macos-${{ matrix.arch }}-unsigned.tar.gz Architect.app + tar -czf architect-macos-${{ matrix.arch }}.tar.gz Architect.app working-directory: architect - name: Upload artifact uses: actions/upload-artifact@v7 with: - name: architect-macos-${{ matrix.arch }}-unsigned - path: architect/release/architect-macos-${{ matrix.arch }}-unsigned.tar.gz + name: architect-macos-${{ matrix.arch }} + path: architect/release/architect-macos-${{ matrix.arch }}.tar.gz - name: Create Release if: startsWith(github.ref, 'refs/tags/') uses: softprops/action-gh-release@v2 with: - files: architect/release/architect-macos-${{ matrix.arch }}-unsigned.tar.gz + files: architect/release/architect-macos-${{ matrix.arch }}.tar.gz draft: false prerelease: false generate_release_notes: true diff --git a/README.md b/README.md index 2f197ab..8ae5c9f 100644 --- a/README.md +++ b/README.md @@ -50,29 +50,30 @@ Architect solves this with a grid view that keeps all your agents visible, with ## Installation -### Download Pre-built Binary (macOS, unsigned) +### Download Pre-built Binary (macOS) -Download the latest unsigned release from the [releases page](https://github.com/forketyfork/architect/releases). +Download the latest release from the [releases page](https://github.com/forketyfork/architect/releases). **For Apple Silicon (M1/M2/M3/M4):** ```bash -curl -LO https://github.com/forketyfork/architect/releases/latest/download/architect-macos-arm64-unsigned.tar.gz -tar -xzf architect-macos-arm64-unsigned.tar.gz +curl -LO https://github.com/forketyfork/architect/releases/latest/download/architect-macos-arm64.tar.gz +tar -xzf architect-macos-arm64.tar.gz xattr -dr com.apple.quarantine Architect.app open Architect.app ``` **For Intel Macs:** ```bash -curl -LO https://github.com/forketyfork/architect/releases/latest/download/architect-macos-x86_64-unsigned.tar.gz -tar -xzf architect-macos-x86_64-unsigned.tar.gz +curl -LO https://github.com/forketyfork/architect/releases/latest/download/architect-macos-x86_64.tar.gz +tar -xzf architect-macos-x86_64.tar.gz xattr -dr com.apple.quarantine Architect.app open Architect.app ``` **Note**: -* These GitHub release archives are unsigned. Clear the quarantine attribute before first launch, or macOS may block the app. +* These GitHub release archives are ad-hoc signed so macOS can launch them locally, but they are not Developer ID signed or notarized. +* Clear the quarantine attribute before first launch, or macOS may block the app. * The archive contains `Architect.app`. You can launch it with `open Architect.app` or run `./Architect.app/Contents/MacOS/architect` from the terminal. Keep the bundle contents intact. * Not sure which architecture? Run `uname -m` - if it shows `arm64`, use the ARM64 version; if it shows `x86_64`, use the Intel version. diff --git a/docs/development.md b/docs/development.md index 5f8cf20..27d428c 100644 --- a/docs/development.md +++ b/docs/development.md @@ -89,8 +89,8 @@ git tag v0.1.0 git push origin v0.1.0 ``` -The release workflow packages unsigned app bundles. It does not import macOS signing certificates and does not notarize the app. Release downloads therefore require clearing the quarantine attribute after extraction, as described in the README installation instructions. You can also run the Release workflow manually with `workflow_dispatch` to validate the packaging flow before pushing a real release tag. +The release workflow packages ad-hoc-signed app bundles with local `codesign --sign -`. It does not import macOS signing certificates, does not produce Developer ID-signed artifacts, and does not notarize the app. Release downloads therefore still require clearing the quarantine attribute after extraction, as described in the README installation instructions. You can also run the Release workflow manually with `workflow_dispatch` to validate the packaging flow before pushing a real release tag. Each release includes: -- `architect-macos-arm64-unsigned.tar.gz` - Apple Silicon -- `architect-macos-x86_64-unsigned.tar.gz` - Intel +- `architect-macos-arm64.tar.gz` - Apple Silicon +- `architect-macos-x86_64.tar.gz` - Intel