Embed TeamIdentifier in macOS CodeDirectory via anchore/quill (#392)

The goreleaser/quill fork (embedded in GoReleaser v2.14.x) never populates
the TeamIdentifier field in the CodeDirectory during signing
(anchore/quill#147). Replace the built-in notarize block with direct
anchore/quill v0.7.1 CLI calls:

- Build hook (scripts/sign-darwin.sh) signs darwin binaries before
  archiving so archives, checksums, and tap manifests are correct.
  Fails closed in CI when QUILL_SIGN_P12 is set; skips in local dev.
- Notarization runs as a separate workflow step after GoReleaser publishes
  using --notary-* flags. Password via QUILL_SIGN_PASSWORD env var.
- Post-release macos-verify job asserts TeamIdentifier and hardened runtime
  for both darwin/amd64 and darwin/arm64 on a macOS runner. Notarization
  status is best-effort telemetry (ticket propagation can lag).
- Credentials written to $RUNNER_TEMP with umask 077, cleaned up via
  if: always(). Quill added to $GITHUB_PATH explicitly.

Revert path: #393 tracks reverting when goreleaser/quill syncs the fix.

Author: jeremy

.github/workflows/release.yml

@@ -225,6 +225,20 @@ jobs:
           MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
           MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
 
+      - name: Install quill for macOS signing
+        run: |
+          go install github.com/anchore/quill/cmd/quill@v0.7.1
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
+
+      - name: Prepare signing credentials
+        env:
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+        run: |
+          umask 077
+          echo "$MACOS_SIGN_P12" | base64 -d > "$RUNNER_TEMP/codesign.p12"
+          echo "$MACOS_NOTARY_KEY" | base64 -d > "$RUNNER_TEMP/notary.p8"
+
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
@@ -237,18 +251,33 @@ jobs:
           CHANGELOG_FILE: ${{ steps.changelog.outputs.file }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_TOKEN: ${{ steps.sdk-token.outputs.token }}
-          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
-          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
-          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
-          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
-          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+          QUILL_SIGN_P12: ${{ runner.temp }}/codesign.p12
+          QUILL_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
         run: |
           RELEASE_CHANGELOG=""
           if [ -n "$CHANGELOG_FILE" ] && [ -f "$CHANGELOG_FILE" ]; then
             RELEASE_CHANGELOG=$(cat "$CHANGELOG_FILE")
           fi
           export RELEASE_CHANGELOG
-          goreleaser release --clean
+          goreleaser release --clean --skip=notarize
+
+      - name: Notarize macOS binaries
+        env:
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+        run: |
+          for bin in dist/basecamp_darwin_*/basecamp; do
+            echo "Notarizing $bin..."
+            quill notarize "$bin" \
+              --notary-issuer "$MACOS_NOTARY_ISSUER_ID" \
+              --notary-key-id "$MACOS_NOTARY_KEY_ID" \
+              --notary-key "$RUNNER_TEMP/notary.p8" \
+              --wait
+          done
+
+      - name: Clean up signing credentials
+        if: always()
+        run: rm -f "$RUNNER_TEMP/codesign.p12" "$RUNNER_TEMP/notary.p8"
 
       - name: Attest build provenance
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
@@ -268,6 +297,59 @@ jobs:
           git config --global user.email "dev@37signals.com"
           scripts/publish-aur.sh "$VERSION"
 
+  macos-verify:
+    name: Verify macOS signing
+    needs: [release]
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: macos-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+    steps:
+      - name: Download release binary
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          mkdir -p /tmp/verify
+          gh release download "$GITHUB_REF_NAME" \
+            --repo "$GITHUB_REPOSITORY" \
+            --pattern "basecamp_*_darwin_${{ matrix.arch }}.tar.gz" \
+            --dir /tmp/verify
+          tar -xzf /tmp/verify/basecamp_*_darwin_${{ matrix.arch }}.tar.gz -C /tmp/verify
+
+      - name: Verify TeamIdentifier
+        run: |
+          TEAM_ID=$(codesign -dv --verbose=4 /tmp/verify/basecamp 2>&1 | grep TeamIdentifier= | cut -d= -f2)
+          echo "TeamIdentifier (${{ matrix.arch }}): $TEAM_ID"
+          if [ "$TEAM_ID" != "2WNYUYRS7G" ]; then
+            echo "::error::TeamIdentifier mismatch (${{ matrix.arch }}): expected 2WNYUYRS7G, got $TEAM_ID"
+            exit 1
+          fi
+
+      - name: Verify hardened runtime
+        run: |
+          FLAGS=$(codesign -dv --verbose=4 /tmp/verify/basecamp 2>&1 | grep 'flags=' | head -1)
+          echo "Flags (${{ matrix.arch }}): $FLAGS"
+          if ! echo "$FLAGS" | grep -q 'runtime'; then
+            echo "::error::Hardened runtime flag not set (${{ matrix.arch }}): $FLAGS"
+            exit 1
+          fi
+
+      - name: Check notarization status
+        run: |
+          # Best-effort: notarization ticket propagation can lag, so this is
+          # telemetry, not a gate. TeamIdentifier and hardened runtime above
+          # are the hard assertions.
+          spctl -a -vvv -t install /tmp/verify/basecamp 2>&1 | tee /tmp/verify/spctl.out
+          if grep -q 'accepted\|Notarized Developer ID' /tmp/verify/spctl.out; then
+            echo "Notarization accepted for ${{ matrix.arch }}"
+          else
+            echo "::warning::Notarization not yet accepted for ${{ matrix.arch }} (ticket propagation may lag)"
+          fi
+
   nix-verify:
     name: Verify Nix flake
     needs: [release]

.goreleaser.yaml

@@ -30,6 +30,10 @@ builds:
       - -X github.com/basecamp/basecamp-cli/internal/version.Version={{.Version}}
       - -X github.com/basecamp/basecamp-cli/internal/version.Commit={{.Commit}}
       - -X github.com/basecamp/basecamp-cli/internal/version.Date={{.Date}}
+    hooks:
+      post:
+        - cmd: scripts/sign-darwin.sh "{{ .Os }}" "{{ .Path }}"
+          output: true
 
 archives:
   - id: default
@@ -94,21 +98,13 @@ signs:
     artifacts: checksum
     output: true
 
-# Sign and notarize macOS binaries (cross-platform via embedded quill)
+# Signing handled by scripts/sign-darwin.sh via build hook using anchore/quill
+# CLI directly. The goreleaser/quill fork lacks the TeamIdentifier fix from
+# anchore/quill v0.7.0 (https://github.com/anchore/quill/issues/147).
+# Notarization runs as a separate workflow step after GoReleaser publishes.
 notarize:
   macos:
-    - enabled: '{{ and (ne .Env.MACOS_SIGN_P12 "") (ne .Env.MACOS_SIGN_PASSWORD "") (ne .Env.MACOS_NOTARY_KEY "") (ne .Env.MACOS_NOTARY_KEY_ID "") (ne .Env.MACOS_NOTARY_ISSUER_ID "") }}'
-      ids:
-        - basecamp
-      sign:
-        certificate: "{{.Env.MACOS_SIGN_P12}}"
-        password: "{{.Env.MACOS_SIGN_PASSWORD}}"
-      notarize:
-        issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}"
-        key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}"
-        key: "{{.Env.MACOS_NOTARY_KEY}}"
-        wait: true
-        timeout: 20m
+    - enabled: 'false'
 
 changelog:
   # Use GitHub's auto-generated release notes (categories configured in .github/release.yml)

RELEASING.md

@@ -25,7 +25,7 @@ make release VERSION=0.2.0 DRY_RUN=1
    - Generates AI changelog from commit history
    - Builds binaries for all platforms (darwin, linux, windows, freebsd, openbsd × amd64/arm64)
    - Builds `.deb`, `.rpm`, `.apk` Linux packages (amd64 + arm64)
-   - Signs and notarizes macOS binaries (Developer ID via GoReleaser/quill)
+   - Signs macOS binaries via build hook (`anchore/quill` CLI), notarizes post-publish (see [tradeoff](#macos-signing-tradeoffs))
    - Signs checksums with cosign (keyless via Sigstore OIDC)
    - Generates SBOM for supply chain transparency
    - Updates Homebrew cask (`basecamp-cli`) in `basecamp/homebrew-tap`
@@ -94,3 +94,29 @@ make update-nix-hash
 | deb/rpm/apk packages | GitHub Release assets | GoReleaser (nfpm) |
 | Nix flake | `flake.nix` in repo | Self-serve (`nix profile install github:basecamp/basecamp-cli`) |
 | go install | `go install github.com/basecamp/basecamp-cli/cmd/basecamp@latest` | Go module proxy |
+
+## macOS signing tradeoffs
+
+**Signing** uses `anchore/quill` CLI directly (not GoReleaser's embedded fork)
+because the `goreleaser/quill` fork does not populate the `TeamIdentifier` field
+in the CodeDirectory ([anchore/quill#147](https://github.com/anchore/quill/issues/147)).
+The build hook signs darwin binaries before archiving, so archives, checksums,
+and tap manifests all contain correctly signed binaries.
+
+**Notarization** runs after GoReleaser publishes. This means there is a brief
+window where the GitHub release and Homebrew/Scoop manifests point at binaries
+Apple has not yet accepted. This is accepted release debt, not a bug:
+- The binary bytes are final — notarization for bare Mach-O is purely server-side
+- GateKeeper checks Apple's servers at runtime, not a stapled ticket
+- Bare Mach-O executables cannot be stapled (Apple limitation)
+- This matches the previous GoReleaser/quill behavior
+
+The `macos-verify` post-release job runs on a real macOS runner for both amd64
+and arm64. TeamIdentifier and hardened runtime are hard assertions that fail
+the workflow. The notarization check is best-effort telemetry — ticket
+propagation can lag, so it warns rather than gates.
+
+**Reverting**: when `goreleaser/quill` syncs the fix from anchore/quill v0.7.0,
+revert to the built-in notarize block: remove the build hook, re-enable
+`notarize.macos`, remove the quill install/notarize workflow steps, and delete
+`scripts/sign-darwin.sh`.

scripts/sign-darwin.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# Build hook: sign macOS binaries with anchore/quill CLI.
+# Called by GoReleaser after each build.
+#
+# Two modes:
+#   CI (QUILL_SIGN_P12 is set): signing is mandatory, missing deps = hard fail
+#   Local dev (QUILL_SIGN_P12 unset): silently skip
+#
+# Inputs (env):
+#   QUILL_SIGN_P12       - path to .p12 certificate file (set = CI mode)
+#   QUILL_SIGN_PASSWORD  - .p12 unlock password (quill reads this natively)
+# Args:
+#   $1 - target OS (e.g. "darwin", "linux")
+#   $2 - path to built binary
+set -euo pipefail
+
+os="$1"
+path="$2"
+
+# Non-darwin targets: always skip
+[ "$os" = "darwin" ] || exit 0
+
+# No cert path configured: local dev, skip silently
+[ -n "${QUILL_SIGN_P12:-}" ] || exit 0
+
+# From here, CI has opted in to signing. Missing deps are errors.
+if [ ! -f "$QUILL_SIGN_P12" ]; then
+  echo "ERROR: QUILL_SIGN_P12 set but file not found: $QUILL_SIGN_P12" >&2
+  exit 1
+fi
+
+if [ -z "${QUILL_SIGN_PASSWORD:-}" ]; then
+  echo "ERROR: QUILL_SIGN_PASSWORD is not set" >&2
+  exit 1
+fi
+
+if ! command -v quill >/dev/null; then
+  echo "ERROR: quill not found in PATH" >&2
+  exit 1
+fi
+
+quill sign "$path" --p12 "$QUILL_SIGN_P12"