fix(ci): notarytool does not support altool's @env: password syntax#2336
Merged
Conversation
PR #2281 switched the notarization password to `@env:APPLE_ID_KEY` to keep it out of argv (CWE-214), but that prefix is altool-only. notarytool sends the literal string "@env:APPLE_ID_KEY" as the password, so every submission fails with HTTP 401 regardless of the stored secrets — this broke the v1.32.3 release build. Pass the expanded env value again; the argv exposure is negligible on an ephemeral single-tenant runner and GitHub masks the secret in logs. A follow-up can adopt an App Store Connect API key or --keychain-profile for hardening notarytool actually supports. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
amandeepsingh333
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--password "@env:APPLE_ID_KEY"to keep the secret out of argv (CWE-214), but@env:/@keychain:prefixes are altool syntax —notarytool --helpdocuments only a literal password (or interactive prompt /--keychain-profile).@env:APPLE_ID_KEYas the password, so every submission failed withHTTP status code: 401. Invalid credentials.regardless of the stored secrets — this broke the v1.32.3 release build (first release to run the changed line; v1.32.3-beta.2 predates security: stop leaking signing secrets via shell interpolation / argv (PER-8611, PER-8612) #2281 and passed)."$APPLE_ID_KEY". The argv-visibility concern is negligible on an ephemeral single-tenant GitHub runner, and GitHub masks the secret in logs. A follow-up can adopt an App Store Connect API key (--key/--key-id/--issuer) or--keychain-profilefor hardening that notarytool actually supports.Test plan
xcrun notarytool submit --password "@env:APPLE_ID_KEY" ...→ 401; identical invocation with--password "$APPLE_ID_KEY"→ submission accepted and uploaded.bash -n scripts/executable.shpasses.🤖 Generated with Claude Code