From ec1bf4cd5a4dd4e2302effcef853207c5d57d7d2 Mon Sep 17 00:00:00 2001
From: Axel Niklasson Yun <axel@linear.app>
Date: Thu, 5 Mar 2026 19:43:46 +0100
Subject: [PATCH 1/2] Add code signing to release action

---
 .github/workflows/release.yml | 33 ++++++++++++++++++++++++++++++++-
 entitlements.mac.plist        | 16 ++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 entitlements.mac.plist

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f255a93..149ab52 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -57,10 +57,41 @@ jobs:
             --define "CLI_VERSION='$VERSION'" \
             src/index.ts --outfile=./bin/linear-release
 
+      - name: Import code signing certificate
+        if: matrix.os == 'macos-latest'
+        env:
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+        run: |
+          echo "$CSC_LINK" | base64 --decode > certificate.p12
+          security create-keychain -p "" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "" build.keychain
+          security import certificate.p12 -k build.keychain -P "$CSC_KEY_PASSWORD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" build.keychain
+          rm certificate.p12
+
       - name: Code sign macOS executable
         if: matrix.os == 'macos-latest'
         run: |
-          codesign --force --deep --sign - ./bin/linear-release || true
+          codesign --entitlements entitlements.mac.plist --force --options runtime \
+            --sign "Developer ID Application: Linear Orbit, Inc. (${{ secrets.APPLE_TEAM_ID }})" ./bin/linear-release
+          codesign --verify --verbose ./bin/linear-release
+
+      - name: Notarize macOS executable
+        if: matrix.os == 'macos-latest'
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+        run: |
+          ditto -c -k --keepParent ./bin/linear-release ./bin/linear-release.zip
+          xcrun notarytool submit ./bin/linear-release.zip \
+            --apple-id "$APPLE_ID" \
+            --team-id "$APPLE_TEAM_ID" \
+            --password "$APPLE_APP_SPECIFIC_PASSWORD" \
+            --wait
+          rm ./bin/linear-release.zip
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4
diff --git a/entitlements.mac.plist b/entitlements.mac.plist
new file mode 100644
index 0000000..afa54db
--- /dev/null
+++ b/entitlements.mac.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>

From aed1782efbe3d6f455a866242e5d072383fc152e Mon Sep 17 00:00:00 2001
From: Axel Niklasson Yun <axel@linear.app>
Date: Mon, 9 Mar 2026 08:45:25 +0100
Subject: [PATCH 2/2] Add comment

---
 entitlements.mac.plist | 1 +
 1 file changed, 1 insertion(+)

diff --git a/entitlements.mac.plist b/entitlements.mac.plist
index afa54db..38b94c5 100644
--- a/entitlements.mac.plist
+++ b/entitlements.mac.plist
@@ -1,3 +1,4 @@
+<!-- https://bun.sh/docs/guides/runtime/codesign-macos-executable -->
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">