What's Changing

The changes here along with Actions Secrets I've added for the repo will make it such that our macOS super release binaries going forward will be signed and notarized.

Why

In looking toward submitting a Cask for super to the core Homebrew set, the very first thing they caution under reasons for rejection is:

App fails with GateKeeper enabled on Homebrew supported macOS versions and platforms (e.g. unsigned apps will not launch on Apple Silicon Macs).

Even beyond Homebrew, I've since learned that not having the super binary signed/notarized creates potential problems for regular users that may download our releases from GitHub via browser.

Details

On my Intel Mac for instance, if I download the most recent SuperDB release v0.2.0 via Chrome, unpack, and run ./super, I get a pop-up like this:

The same happens if I install via brew install --cask brimdata/tap/super per our docs. Experienced users know they can get around this by clicking through an exception in Settings > Privacy & Security. But as we seek to make SuperDB accessible to wider audiences, this is definitely a bad look.

In addition to adding them as Repository Secrets here in the repo, I've also saved the values of the secrets in our AWS Secrets Manager under super_repo_build_secrets.

Testing

I've tested out the signing and notarizing in a personal fork repo and have made scratch releases v0.3.0 (which represents a baseline repro of the problem) and v0.6.0 (which is signed and notarized and shows the fix). To verify, in addition to the presence/absence of the pop-up I showed above, with the scratch v0.3.0 artifact we see:

$ spctl -a -vvv --type install ./super
./super: rejected
source=no usable signature

And with the scratch v0.6.0 artifact:

$ spctl -a -vvv --type install ./super
./super: accepted
source=Notarized Developer ID
origin=Developer ID Application: Brim Data, Inc. (2DBXHXV7KJ)