Private keys should not be online or at GitHub

[luke-jr]

Considering the security-sensitive nature of this project, the private keys for signing and codesigning should probably be kept offline, certainly not given to GitHub Actions...

[saturneric]

You’re right that keeping signing keys in CI is a potential security risk.

In our case, the key in GitHub Actions is an Apple developer certificate, mainly to avoid the manual and error-prone signing process. To mitigate risks, every release is also GPG-signed so you can independently verify the artifacts.

That said, I do plan to look into using self-hosted runners in the future (e.g. GitLab), but for macOS images there isn’t a good solution yet.

[luke-jr]

For Bitcoin Knots, we have (100% Linux) deterministic builds that are then codesigned for macOS with a simple script: https://github.com/bitcoinknots/bitcoin/blob/29.x-knots/contrib/macdeploy/detached-sig-create.sh

Self-hosted runners sounds like it would still be automatically triggered by online/GitHub processes. I would recommend keeping the private keys entirely offline, and only signing manually when physically present at the signing machine, at least for official releases.