mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
ad2012d645
## Why The public Codex release workflow needs to sign and notarize macOS binaries and DMGs without placing the Developer ID private key in GitHub. This moves the private-key operation behind the protected `codesigning` environment and uses GitHub OIDC with Azure Key Vault PKCS#11, while preserving the existing external `build_unsigned` / `promote_signed` fallback. ## What changed - Add a reusable AKV PKCS11 setup action that authenticates to Azure with OIDC, downloads pinned signing tools, verifies their SHA-256 digests, and loads the public signing certificate from Key Vault. - Replace the legacy macOS signing action with scripts that support AKV-backed `rcodesign`, notarize signed binaries and DMGs, and staple DMG notarization tickets. - Restructure `rust-release.yml` so macOS builds produce unsigned artifacts first, protected jobs perform signing and notarization, macOS runners package and verify the results, and release publishing waits for verified artifacts. - Preserve the manual external-signing handoff flow and make manual-mode conditions explicit. - Move the Codex entitlements file alongside the signing scripts and update CODEOWNERS for the new signing surfaces. ## Verification - [Live protected signing workflow run](https://github.com/openai/codex/actions/runs/26903610631) completed successfully for both macOS architectures, including binary signing/notarization, DMG signing/notarization, and final artifact verification. - Downloaded both signed DMGs and independently verified their checksums and strict signatures. - Confirmed `xcrun stapler validate` succeeds and Gatekeeper accepts both DMGs as `Notarized Developer ID`. - Mounted both DMGs and confirmed the contained `codex` and `codex-responses-api-proxy` binaries have valid Developer ID signatures for the expected architectures. --------- Co-authored-by: shijie-openai <shijie.rao@openai.com>
13 lines
551 B
Plaintext
13 lines
551 B
Plaintext
# Core crate ownership.
|
|
/codex-rs/core/ @openai/codex-core-agent-team
|
|
/codex-rs/ext/extension-api/ @openai/codex-core-agent-team
|
|
/codex-rs/prompts/ @openai/codex-core-agent-team
|
|
|
|
# Keep macOS AKV signing changes reviewed by Codex maintainers.
|
|
/.github/actions/setup-akv-pkcs11-codesigning/ @openai/codex-core-agent-team
|
|
/.github/scripts/macos-signing/ @openai/codex-core-agent-team
|
|
/.github/workflows/rust-release.yml @openai/codex-core-agent-team
|
|
|
|
# Keep ownership changes reviewed by the same team.
|
|
/.github/CODEOWNERS @openai/codex-core-agent-team
|