Problem

After brew install StackExchange/tap/dnscontrol, macOS Gatekeeper shows the following error:

Apple could not verify "dnscontrol" is free of malware that may harm your Mac or compromise your privacy.

The binary is not code-signed and not notarized with Apple.

Set up GitHub Actions Secrets

To enable macOS code signing and notarization, the following 5 secrets need to be created.

Go to repo → Settings → Secrets and variables → Actions:

All files and values are available in this 1Password share (valid for 14 days, email verification required):

https://share.1password.com/s#3H_ZmXX5_2CHMNGIJS4ybCmJUzolV4qsCJLrC4ZEsOE

MACOS_SIGN_P12 encoding

The .p12 file from 1Password needs to be base64-encoded:

base64 -i DeveloperIDApplication.p12 | pbcopy

MACOS_NOTARY_KEY

Paste the full contents of the .p8 file, including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines.

The enabled condition in .goreleaser.yml ensures that builds without these secrets continue normally without signing.