Add psd-sign skill for macOS app signing and packaging

[james-cantonwine]

Summary

• Adds psd-sign skill to psd-productivity plugin
• Automates the full Apple Developer ID signing pipeline: sign → notarize → staple → package → notarize pkg → verify
• PSD Team ID (87DL7L9GU6) and signing identities are embedded
• Prompts for app path, Apple ID, app-specific password, version, and bundle identifier at runtime
• Includes troubleshooting section for common cert/notarization issues

Context

We have multiple macOS apps being signed and deployed via Jamf Self Service. This skill standardizes the 9-step signing process so any team member with Developer ID certs can run /psd-sign from Claude Code instead of referencing manual terminal instructions.

Test plan

• Install plugin and verify /psd-sign appears in skill list
• Run against a test .app bundle and confirm full pipeline completes
• Verify signed .pkg passes pkgutil --check-signature

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new skill to automate the complex and multi-step process of signing, notarizing, and packaging macOS applications for deployment via Jamf Self Service. It aims to standardize the workflow for team members, reducing reliance on manual terminal instructions and ensuring consistency and efficiency in the distribution of macOS applications within the organization.

Highlights

• New Skill Added: Introduced the psd-sign skill to the psd-productivity plugin, designed to streamline macOS application signing and packaging.
• Automated Apple Developer ID Pipeline: Implemented a comprehensive automation for the Apple Developer ID signing process, covering signing, notarization, stapling, packaging, package notarization, and verification.
• Embedded PSD Constants: Pre-configured the skill with the PSD Team ID (87DL7L9GU6) and specific signing identities for both application and installer.
• Runtime User Input: The skill prompts the user for necessary details at runtime, including the app path, Apple ID, app-specific password, version number, and bundle identifier.
• Troubleshooting Guide: Included a dedicated troubleshooting section within the skill documentation to address common certificate and notarization issues.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a new psd-sign skill for automating macOS app signing. The workflow is well-structured and covers all the necessary steps from signing to packaging and verification. However, I've identified a significant security vulnerability in how the app-specific password for notarization is handled. It's passed directly on the command line, which exposes it in the process list and shell history. My review comments focus on mitigating this risk by using notarytool's keychain profile feature. This improves security and also simplifies the commands. I've provided specific suggestions to update the workflow, the notarization commands, and the troubleshooting documentation.

[gemini-code-assist]

Collecting the app-specific password at runtime and passing it on the command line is a security risk, as it can be exposed in process lists and shell history. It's more secure to have the user store the credential in the keychain once using xcrun notarytool store-credentials and then provide a profile name to the script. This also improves usability by not requiring the password for every run.

Suggested change

	3. **App-specific password** — SECURITY: never log, echo, or store this value
	3. **Notary keychain profile** — name of the keychain profile for `notarytool` (create with `xcrun notarytool store-credentials`)

[krishagel]

Applied. The workflow inputs now ask for a keychain profile name instead of an Apple ID + app-specific password. The one-time setup is documented in Prerequisites:

2. **Notary keychain profile** — name of the keychain profile for `notarytool` (create once with `xcrun notarytool store-credentials`)

Prerequisites now reads:

- A notarytool keychain profile stored on the machine — create once with:
  `xcrun notarytool store-credentials "<profile-name>" --apple-id <your@psd401.net> --team-id 87DL7L9GU6 --password <app-specific-password>`

Fix committed to psd401/psd-claude-plugins:add-psd-sign-skill — please pull or apply to your fork branch.

---

Generated by Claude Code

[gemini-code-assist]

To avoid exposing the app-specific password on the command line, which is a security risk, you should use a keychain profile. This change assumes the workflow is updated to ask for a keychain profile name (e.g., in a variable like $NOTARY_KEYCHAIN_PROFILE) instead of the password itself. Using a profile also simplifies the command as apple-id and team-id are not needed if stored in the profile.

Suggested change

	xcrun notarytool submit "/tmp/${APP_NAME}.zip" \
	--apple-id "$APPLE_ID" \
	--team-id 87DL7L9GU6 \
	--password "$APP_PASSWORD" \
	--wait
	# Use keychain profile for security. First, store credentials:
	# xcrun notarytool store-credentials "YOUR_PROFILE_NAME" --apple-id ... --team-id ... --password ...
	xcrun notarytool submit "/tmp/${APP_NAME}.zip" \
	--keychain-profile "$NOTARY_KEYCHAIN_PROFILE" \
	--wait

[krishagel]

Applied. Step 4 now uses --keychain-profile — no Apple ID, team ID, or password on the command line:

xcrun notarytool submit "/tmp/${APP_NAME}.zip" \
  --keychain-profile "$NOTARY_KEYCHAIN_PROFILE" \
  --wait

Fix committed to psd401/psd-claude-plugins:add-psd-sign-skill.

---

Generated by Claude Code

[gemini-code-assist]

As with the app notarization step, the package notarization should also use a keychain profile to avoid exposing the password on the command line. This is a security risk.

Suggested change

	xcrun notarytool submit "$HOME/Desktop/${APP_NAME}.pkg" \
	--apple-id "$APPLE_ID" \
	--team-id 87DL7L9GU6 \
	--password "$APP_PASSWORD" \
	--wait
	# Use keychain profile for security. First, store credentials:
	# xcrun notarytool store-credentials "YOUR_PROFILE_NAME" --apple-id ... --team-id ... --password ...
	xcrun notarytool submit "$HOME/Desktop/${APP_NAME}.pkg" \
	--keychain-profile "$NOTARY_KEYCHAIN_PROFILE" \
	--wait

[krishagel]

Applied. Step 7 now uses --keychain-profile for the .pkg notarization too:

xcrun notarytool submit "$HOME/Desktop/${APP_NAME}.pkg" \
  --keychain-profile "$NOTARY_KEYCHAIN_PROFILE" \
  --wait

Fix committed to psd401/psd-claude-plugins:add-psd-sign-skill.

---

Generated by Claude Code

[gemini-code-assist]

For consistency and security, the troubleshooting command for checking notarization logs should also be updated to use the keychain profile instead of passing credentials on the command line.

Suggested change

	- **Notarization rejected** — Check the log with `xcrun notarytool log <submission-id> --apple-id ... --team-id 87DL7L9GU6 --password ...`
	- **Notarization rejected** — Check the log with `xcrun notarytool log <submission-id> --keychain-profile <profile-name>`

[krishagel]

Applied. The troubleshooting command now uses --keychain-profile:

- **Notarization rejected** — Check the log with `xcrun notarytool log <submission-id> --keychain-profile <profile-name>`

Fix committed to psd401/psd-claude-plugins:add-psd-sign-skill.

---

Generated by Claude Code

[krishagel]

🤖 pr-fix routine round 1 — partial progress

All 4 security review comments have been addressed with specific fixes and replied to inline. The changes are:

• Prerequisites: documented one-time xcrun notarytool store-credentials setup — replaces the need to provide an Apple ID or app-specific password at runtime
• Workflow inputs: replaced Apple ID + app-specific password prompts with a single "Notary keychain profile" name
• Step 4 & Step 7: replaced --apple-id / --team-id / --password with --keychain-profile "$NOTARY_KEYCHAIN_PROFILE"
• Troubleshooting: updated notarytool log command to use --keychain-profile

Branch blocker: This PR's head branch (add-psd-sign-skill) lives in the fork james-cantonwine/psd-claude-coding-system. The routine cannot push directly to a fork. The fixed commit (bd0a7ec) has been pushed to psd401/psd-claude-plugins:add-psd-sign-skill.

What @james-cantonwine needs to do — either:

1. git pull origin add-psd-sign-skill (if maintainer edits are enabled), or
2. Apply the four diff hunks shown in the inline replies above manually and push, or
3. Allow maintainer edits on the fork so the routine can push next fire

Once the commits land on the fork branch, the CI should pass and this PR can be merged.

• Review comments addressed: 4
• CI failures fixed: pending (depends on fork update)
• Commits pushed (to psd401 branch): 1

---

Generated by Claude Code