Skip to content

Add signed package installer scaffolding#1714

Open
Siddhant-K-code wants to merge 2 commits into
mainfrom
SK/signed-package-installers
Open

Add signed package installer scaffolding#1714
Siddhant-K-code wants to merge 2 commits into
mainfrom
SK/signed-package-installers

Conversation

@Siddhant-K-code

@Siddhant-K-code Siddhant-K-code commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds the first signed/package-manager installer implementation pass:

  • git-ai setup-package --manager <msi|pkg|apt|brew> for conservative per-user setup after package-manager installs
  • MSI, PKG, deb, and Homebrew formula packaging scaffolding with no git/git.exe shim installation
  • release workflow jobs for macOS binary signing, MSI build/sign, PKG build/notarize, deb build/test, and generated git-ai.rb
  • package smoke tests in CI for MSI/PKG/deb artifacts

This intentionally starts fresh instead of continuing #1322: new installers must not install Git shims or intercept git.

Secrets/vars needed before production release

Apple:

  1. In Apple Developer, create Developer ID Application and Developer ID Installer certificates from a CSR.
  2. Import each .cer into Keychain, export each cert+private key as .p12, then base64 encode it.
  3. In App Store Connect, create a notarization API key and base64 encode the .p8.
  4. Add GitHub Actions repository secrets under Settings -> Secrets and variables -> Actions -> Secrets:
    • APPLE_DEVELOPER_ID_APPLICATION_P12_BASE64
    • APPLE_DEVELOPER_ID_APPLICATION_P12_PASSWORD
    • APPLE_DEVELOPER_ID_APPLICATION_IDENTITY (Developer ID Application: ...)
    • APPLE_DEVELOPER_ID_INSTALLER_P12_BASE64
    • APPLE_DEVELOPER_ID_INSTALLER_P12_PASSWORD
    • APPLE_DEVELOPER_ID_INSTALLER_IDENTITY (Developer ID Installer: ...)
    • APPLE_NOTARY_KEY_ID
    • APPLE_NOTARY_ISSUER_ID
    • APPLE_NOTARY_KEY_P8_BASE64

Azure Artifact Signing:

  1. Create/verify the Artifact Signing account, completed public identity validation, and Public Trust certificate profile.
  2. Create a GitHub OIDC app registration/federated credential for production releases from main (repo:git-ai-project/git-ai:ref:refs/heads/main).
  3. Grant it Artifact Signing Certificate Profile Signer on the signing account/profile.
  4. Add GitHub Actions repository secrets under Settings -> Secrets and variables -> Actions -> Secrets:
    • AZURE_CLIENT_ID
    • AZURE_TENANT_ID
    • AZURE_SUBSCRIPTION_ID
  5. Add GitHub Actions repository variables under Settings -> Secrets and variables -> Actions -> Variables:
    • AZURE_ARTIFACT_SIGNING_ENDPOINT
    • AZURE_ARTIFACT_SIGNING_ACCOUNT
    • AZURE_ARTIFACT_SIGNING_CERT_PROFILE

Quarantine cleanup

This PR does not remove the macOS xattr -d com.apple.quarantine fallback from install.sh. Remove it only after a production release with signed macOS binaries and signed/notarized PKGs has shipped and fresh install/upgrade paths are verified.

Validation

  • cargo fmt
  • task test TEST_FILTER=package_setup CARGO_TEST_ARGS="--lib"
  • task build
  • bash -n packaging/debian/build-deb.sh packaging/macos/build-pkg.sh packaging/homebrew/update-formula.sh packaging/debian/postinst packaging/debian/prerm packaging/macos/scripts/postinstall packaging/macos/scripts/preinstall
  • YAML parse via python3/PyYAML
  • local deb smoke build from target/debug/git-ai
  • Homebrew formula render smoke test
  • task lint

Linear: PD-10

Supersedes #1322


Open in Devin Review

devin-ai-integration[bot]

This comment was marked as resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant