Skip to content

Add codesigning script for macOS#42912

Merged
jdm merged 3 commits into
servo:mainfrom
jschwe:servo/macos-sign
Mar 6, 2026
Merged

Add codesigning script for macOS#42912
jdm merged 3 commits into
servo:mainfrom
jschwe:servo/macos-sign

Conversation

@jschwe
Copy link
Copy Markdown
Member

@jschwe jschwe commented Feb 27, 2026
edited
Loading

This script automates the signing, packaging and notarization of servoshell on macOS.
This is a first step towards: #40031 and #12532. While we could let a maintainer code-sign and upload the signed release, probably this should be integrated into CI, which would require additional work.

This script started out quite simple as part of ./mach package. However, since the script has access to secrets, it shouldn't be part of mach (to minimize the amout of code that needs to be trusted).
We also needed to save state and be able to resume operations, since notarizing can take quite long and the stapling needs to wait until notarization has completed.
Since notarizing can take long (up to a day has been observed during first tests), we save artifacts and the notarization ID, and add a --check-status command that can be used to poll if notarization has been finished.

Testing: Manually testing required. A signed and notarized .dmg artifact has been uploaded to zulip, allowing others to verify the notarization worked.

@jschwe jschwe marked this pull request as ready for review February 27, 2026 16:08
@servo-highfive servo-highfive added the S-awaiting-review There is new code that needs to be reviewed. label Feb 27, 2026
jdm
jdm approved these changes Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jdm jdm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! This looks really useful.

Comment thread etc/macos_sign.py Outdated
Comment thread etc/macos_sign.py Outdated
Comment thread etc/macos_sign.py Outdated
@servo-highfive servo-highfive added S-awaiting-review There is new code that needs to be reviewed. and removed S-awaiting-review There is new code that needs to be reviewed. labels Mar 3, 2026
@jschwe jschwe force-pushed the servo/macos-sign branch 2 times, most recently from 24929ee to 387cbac Compare March 5, 2026 17:19
jschwe added 3 commits March 5, 2026 17:21
@jschwe
Add codesigning script for macos
253355c 
Signed-off-by: Jonathan Schwender <[email protected]>
@jschwe
remove outdated comment
4ccef8b 
Signed-off-by: Jonathan Schwender <[email protected]>
@jschwe
Update comments.
b1808e8 
Signed-off-by: Jonathan Schwender <[email protected]>
@jschwe jschwe force-pushed the servo/macos-sign branch from 387cbac to b1808e8 Compare March 5, 2026 17:21
@jdm jdm added this pull request to the merge queue Mar 6, 2026
@servo-highfive servo-highfive added the S-awaiting-merge The PR is in the process of compiling and running tests on the automated CI. label Mar 6, 2026
Merged via the queue into servo:main with commit a2bd2ab Mar 6, 2026
30 checks passed
@servo-highfive servo-highfive removed the S-awaiting-merge The PR is in the process of compiling and running tests on the automated CI. label Mar 6, 2026
@jschwe jschwe deleted the servo/macos-sign branch March 6, 2026 05:57
@jschwe jschwe mentioned this pull request Mar 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdm jdm jdm approved these changes

Assignees

No one assigned

Labels

S-awaiting-review There is new code that needs to be reviewed.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jschwe @jdm @servo-highfive