configure goreleaser for signing/notarization

Author: notnmeyer

.github/workflows/release.yml

@@ -25,3 +25,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}

.goreleaser.yaml

@@ -48,16 +48,22 @@ homebrew_casks:
     homepage: https://loops.so
     description: Official CLI for Loops
     binaries: [loops]
-    # TODO: remove this after we're signing the binary
-    hooks:
-      post:
-        install: |
-          if OS.mac?
-            system_command "/usr/bin/xattr", args: ["-dr", "com.apple.quarantine", "#{staged_path}/loops"]
-          end
 
 release:
   prerelease: auto
 
 changelog:
   use: github-native
+
+notarize:
+  macos:
+    - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}'
+      sign:
+        certificate: "{{.Env.MACOS_SIGN_P12}}"
+        password: "{{.Env.MACOS_SIGN_PASSWORD}}"
+      notarize:
+        issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}"
+        key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}"
+        key: "{{.Env.MACOS_NOTARY_KEY}}"
+        wait: true
+        timeout: 20m

Taskfile.yml

@@ -53,8 +53,9 @@ tasks:
 
   release:local:
     desc: build with goreleaser
+    dotenv: [.env.macos-signing]
     cmds:
-      - goreleaser release --snapshot --clean
+      - goreleaser release --snapshot --single-target --clean
 
   release:check:
     cmds: