From d37d918e2daf27bdde32639935b5ad1ba5e0297b Mon Sep 17 00:00:00 2001
From: gotbadger <p.j.h@hey.com>
Date: Fri, 20 Feb 2026 16:51:26 +0000
Subject: [PATCH] CM-53930: improve notarization output

---
 .github/workflows/build_executable.yml | 35 ++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build_executable.yml b/.github/workflows/build_executable.yml
index 333427a3..1f1e2582 100644
--- a/.github/workflows/build_executable.yml
+++ b/.github/workflows/build_executable.yml
@@ -127,6 +127,22 @@ jobs:
       - name: Test executable
         run: time $PATH_TO_CYCODE_CLI_EXECUTABLE version
 
+      - name: Codesign onedir binaries
+        if: runner.os == 'macOS' && matrix.mode == 'onedir'
+        env:
+          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
+        run: |
+          # Sign all Mach-O binaries in the onedir output (excluding the main executable)
+          # Main executable must be signed last after all its dependencies
+          find dist/cycode-cli -type f ! -name "cycode-cli" | while read -r file; do
+            if file -b "$file" | grep -q "Mach-O"; then
+              codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime "$file"
+            fi
+          done
+
+          # Re-sign the main executable with entitlements (must be last)
+          codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime --entitlements entitlements.plist dist/cycode-cli/cycode-cli
+
       - name: Notarize macOS executable
         if: runner.os == 'macOS'
         env:
@@ -137,11 +153,26 @@ jobs:
           # create keychain profile
           xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD"
 
-          # create zip file (notarization does not support binaries)
+          # create zip file (notarization does not support bare binaries)
           ditto -c -k --keepParent dist/cycode-cli notarization.zip
 
           # notarize app (this will take a while)
-          xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait
+          NOTARIZE_OUTPUT=$(xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait 2>&1) || true
+          echo "$NOTARIZE_OUTPUT"
+
+          # extract submission ID for log retrieval
+          SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "  id:" | head -1 | awk '{print $2}')
+
+          # check notarization status explicitly
+          if echo "$NOTARIZE_OUTPUT" | grep -q "status: Accepted"; then
+            echo "Notarization succeeded!"
+          else
+            echo "Notarization failed! Fetching log for details..."
+            if [ -n "$SUBMISSION_ID" ]; then
+              xcrun notarytool log "$SUBMISSION_ID" --keychain-profile "notarytool-profile" || true
+            fi
+            exit 1
+          fi
 
           # we can't staple the app because it's executable