Skip to content

fix(ci): notarytool does not support altool's @env: password syntax#2336

Merged
prklm10 merged 1 commit into
masterfrom
fix/notarytool-password-env
Jul 14, 2026
Merged

fix(ci): notarytool does not support altool's @env: password syntax#2336
prklm10 merged 1 commit into
masterfrom
fix/notarytool-password-env

Conversation

@prklm10

@prklm10 prklm10 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • PR security: stop leaking signing secrets via shell interpolation / argv (PER-8611, PER-8612) #2281 switched the notarization password to --password "@env:APPLE_ID_KEY" to keep the secret out of argv (CWE-214), but @env:/@keychain: prefixes are altool syntax — notarytool --help documents only a literal password (or interactive prompt / --keychain-profile).
  • As a result notarytool sent the literal string @env:APPLE_ID_KEY as the password, so every submission failed with HTTP status code: 401. Invalid credentials. regardless of the stored secrets — this broke the v1.32.3 release build (first release to run the changed line; v1.32.3-beta.2 predates security: stop leaking signing secrets via shell interpolation / argv (PER-8611, PER-8612) #2281 and passed).
  • Revert to passing the expanded value "$APPLE_ID_KEY". The argv-visibility concern is negligible on an ephemeral single-tenant GitHub runner, and GitHub masks the secret in logs. A follow-up can adopt an App Store Connect API key (--key/--key-id/--issuer) or --keychain-profile for hardening that notarytool actually supports.

Test plan

  • Reproduced locally: xcrun notarytool submit --password "@env:APPLE_ID_KEY" ... → 401; identical invocation with --password "$APPLE_ID_KEY" → submission accepted and uploaded.
  • bash -n scripts/executable.sh passes.
  • Note: re-running the failed v1.32.3 release job will NOT pick this up (re-runs build the tag's commit); the release needs to be re-cut on a commit containing this fix, or the v1.32.3 assets notarized manually.

🤖 Generated with Claude Code

PR #2281 switched the notarization password to `@env:APPLE_ID_KEY` to keep
it out of argv (CWE-214), but that prefix is altool-only. notarytool sends
the literal string "@env:APPLE_ID_KEY" as the password, so every submission
fails with HTTP 401 regardless of the stored secrets — this broke the
v1.32.3 release build. Pass the expanded env value again; the argv exposure
is negligible on an ephemeral single-tenant runner and GitHub masks the
secret in logs. A follow-up can adopt an App Store Connect API key or
--keychain-profile for hardening notarytool actually supports.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@prklm10 prklm10 added the 🐛 bug Something isn't working label Jul 14, 2026
@prklm10 prklm10 marked this pull request as ready for review July 14, 2026 11:59
@prklm10 prklm10 requested a review from a team as a code owner July 14, 2026 11:59
@prklm10 prklm10 merged commit 8ce3e62 into master Jul 14, 2026
45 of 46 checks passed
@prklm10 prklm10 deleted the fix/notarytool-password-env branch July 14, 2026 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🐛 bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants