timescale · nathanjcochran · Sep 15, 2025 · Sep 15, 2025
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,6 +22,13 @@ jobs:
         with:
           go-version-file: 'go.mod'
 
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY_FILE }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -37,3 +44,14 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.ORG_AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.ORG_AWS_SECRET_ACCESS_KEY }}
           AWS_REGION: us-east-1
+          # macOS code signing and notarization
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+          # GPG signing for Linux packages and checksums
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_PRIVATE_KEY_FILE: ${{ secrets.GPG_PRIVATE_KEY_FILE }}
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -51,6 +51,34 @@ archives:
       - LICENSE
       - NOTICE
 
+# GPG signing for checksums and archives (optional - only if env vars are set)
+signs:
+  - cmd: gpg
+    args:
+      - --batch
+      - --local-user
+      - "{{ .Env.GPG_FINGERPRINT }}"
+      - --output
+      - "${signature}"
+      - --detach-sign
+      - "${artifact}"
+    artifacts: checksum
+    stdin: "{{ .Env.GPG_PASSPHRASE }}"
+
+# macOS code signing and notarization (optional - only if env vars are set)
+notarize:
+  macos:
+    - enabled: true
+      ids:
+        - tiger-cli
+      sign:
+        certificate: "{{.Env.MACOS_SIGN_P12}}"
+        password: "{{.Env.MACOS_SIGN_PASSWORD}}"
+      notarize:
+        issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}"
+        key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}"
+        key: "{{.Env.MACOS_NOTARY_KEY}}"
+
 # Linux package configuration (APT, RPM, etc.)
 nfpms:
   - id: packages
@@ -71,9 +99,16 @@ nfpms:
     file_name_template: "{{ .ConventionalFileName }}"
     rpm:
       group: Unspecified
+      signature:
+        key_file: '{{ .Env.GPG_PRIVATE_KEY_FILE }}'
     deb:
+      signature:
+        key_file: '{{ .Env.GPG_PRIVATE_KEY_FILE }}'
       lintian_overrides:
         - statically-linked-binary
+    apk:
+      signature:
+        key_file: '{{ .Env.GPG_PRIVATE_KEY_FILE }}'
 
 
 # S3 Blob Storage Configuration
@@ -117,14 +152,6 @@ homebrew_casks:
     skip_upload: auto
     url:
       template: "https://tiger-cli-releases.s3.us-east-1.amazonaws.com/releases/{{ .Tag }}/{{ .ArtifactName }}"
-    hooks:
-      # TODO: Sign and notarize instead of removing quarantine bit
-      # See: https://goreleaser.com/customization/homebrew_casks/#signing-and-notarizing
-      post:
-        install: |
-          if OS.mac?
-            system_command "/usr/bin/xattr", args: ["-dr", "com.apple.quarantine", "#{staged_path}/tiger"]
-          end
     # Optional: Add caveats for user instructions
     caveats: |
       Tiger CLI has been installed successfully!