Skip to content

macdown-3000: add cli binary link #242810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bevanjkay merged 3 commits into from
Jan 5, 2026
Merged

macdown-3000: add cli binary link #242810

bevanjkay merged 3 commits into from
Jan 5, 2026
+5 −0

Conversation

@henryhchchc
Copy link
Contributor

@henryhchchc henryhchchc commented Dec 31, 2025

Important: Do not tick a checkbox if you haven’t performed its action. Honesty is indispensable for a smooth review process.

In the following questions <cask> is the token of the cask you're submitting.

After making any changes to a cask, existing or new, verify:

Additionally, if adding a new cask:

  • Named the cask according to the token reference.
  • Checked the cask was not already refused (add your cask's name to the end of the search field).
  • brew audit --cask --new <cask> worked successfully.
  • HOMEBREW_NO_INSTALL_FROM_API=1 brew install --cask <cask> worked successfully.
  • brew uninstall --cask <cask> worked successfully.

Link the CLI binary macdown to enable command line access.

@henryhchchc henryhchchc mentioned this pull request Dec 31, 2025
Closed
@henryhchchc
Copy link
Contributor Author

henryhchchc commented Dec 31, 2025

Looks like the CLI binary is not code-signed. I opened an upstream issue: schuyler/macdown3000#238

@schuyler schuyler mentioned this pull request Dec 31, 2025
Merged
schuyler added a commit to schuyler/macdown3000 that referenced this pull request Dec 31, 2025
@schuyler @claude
Address issue #238: Code-Sign the macdown CLI Binary (#239)
b3b39d3 
## Summary

Add explicit code signing for the `macdown` CLI binary in the release
workflow to ensure it passes Homebrew Cask's signature verification.

### Changes

1. **New "Sign CLI binary explicitly" step** (after build, before
verification):
   - Signs CLI binary at `Contents/SharedSupport/bin/macdown`
   - Uses `--force --options runtime --timestamp` flags
   - Re-signs app bundle to update code signature seal

2. **Enhanced "Verify code signature" step**:
   - Verifies CLI binary signature with `codesign -vvv --strict`
   - Verifies Developer ID signing identity
   - Verifies hardened runtime flag is present

3. **Enhanced "Verify app bundle inside DMG" step**:
   - Verifies CLI binary exists in DMG
   - Verifies signature and Developer ID
   - Verifies hardened runtime flag

### Why this is needed

The `CodeSignOnCopy` attribute in Xcode only performs basic code signing
without hardened runtime or secure timestamp, which is insufficient for
Homebrew Cask/Gatekeeper requirements.

## Related Issue

Related to #238

## Manual Testing Plan

### Phase 1: Workflow Verification
- Trigger release workflow with a test tag
- Verify workflow completes without errors in CLI signing steps

### Phase 2: Code Signature Verification
```bash
# Verify CLI binary after mounting DMG
CLI_PATH="/Volumes/MacDown 3000/MacDown 3000.app/Contents/SharedSupport/bin/macdown"
codesign -vvv --strict "$CLI_PATH"
codesign -dvv "$CLI_PATH" 2>&1 | grep "Authority="  # Should show Developer ID
codesign -dvv "$CLI_PATH" 2>&1 | grep "flags="      # Should contain "runtime"
```

### Phase 3: Homebrew Cask Verification
- Update the Homebrew Cask PR at
Homebrew/homebrew-cask#242810
- Verify CI passes code signing checks

## Review Notes

- **Groucho (Architecture)**: Recommended adding explicit signing step
after build with `--options runtime --timestamp`
- **Chico (Code Review)**: Identified critical path issue (SharedSupport
vs MacOS) and need to re-sign app bundle; both issues fixed
- **Harpo (Docs)**: No documentation updates needed - existing docs
describe signing at appropriate level
- **Zeppo (Testing)**: Provided comprehensive manual testing plan for
verifying signatures

---------

Co-authored-by: Claude <[email protected]>
@bevanjkay bevanjkay added the upstream Issue which needs to be resolved by the upstream project. label Jan 3, 2026
@henryhchchc
Copy link
Contributor Author

henryhchchc commented Jan 5, 2026

@bevanjkay Oops I mistaken macdown for macdown-3000. The unsigned binary is in macdown, not macdown-3000.

Considering macdown has no commit in the past five years. It is effectively abandoned despite no official acknowledgement. I marked it as deprecated.

bevanjkay
bevanjkay reviewed Jan 5, 2026
View reviewed changes
@henryhchchc henryhchchc requested a review from bevanjkay January 5, 2026 07:30
@bevanjkay bevanjkay enabled auto-merge January 5, 2026 07:32
@bevanjkay bevanjkay added this pull request to the merge queue Jan 5, 2026
Merged via the queue into Homebrew:main with commit b2e1151 Jan 5, 2026
13 checks passed
@henryhchchc henryhchchc deleted the macdown-3k-bin branch January 5, 2026 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bevanjkay bevanjkay bevanjkay approved these changes

Assignees

No one assigned

Labels

automerge-skip upstream Issue which needs to be resolved by the upstream project.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@henryhchchc @bevanjkay @BrewTestBot