fix: isolate notarization temp files

Hinotoi-agent · web-flow · commit e7d932616508 · 2026-05-30T23:09:32.000+01:00
Security hardening for the release notarization path.

Keeps notarization API key material and upload ZIPs inside a per-run private temporary directory, sets restrictive permissions, and cleans it up on exit. Final release artifact paths remain unchanged.

Proof:
- bash -n Scripts/sign-and-notarize.sh
- static grep for removed predictable /tmp paths
- stubbed release harness covering 0700 temp dir, 0600 API key, private notarization ZIP, cleanup, unchanged final artifacts
- make check
- autoreview clean
- CI green
diff --git a/Scripts/sign-and-notarize.sh b/Scripts/sign-and-notarize.sh
@@ -17,8 +17,18 @@ if [[ -z "${APP_STORE_CONNECT_API_KEY_P8:-}" || -z "${APP_STORE_CONNECT_KEY_ID:-
   echo "Missing APP_STORE_CONNECT_* env vars (API key, key id, issuer id)." >&2
   exit 1
 fi
-echo "$APP_STORE_CONNECT_API_KEY_P8" | sed 's/\\n/\n/g' > /tmp/codexbar-api-key.p8
-trap 'rm -f /tmp/codexbar-api-key.p8 /tmp/${APP_NAME}Notarize.zip' EXIT
+
+NOTARIZATION_TEMP_DIR=$(mktemp -d "${TMPDIR:-/tmp}/codexbar-notarize.XXXXXX")
+chmod 700 "$NOTARIZATION_TEMP_DIR"
+API_KEY_PATH="$NOTARIZATION_TEMP_DIR/codexbar-api-key.p8"
+NOTARIZATION_ZIP="$NOTARIZATION_TEMP_DIR/${APP_NAME}Notarize.zip"
+trap 'rm -rf "$NOTARIZATION_TEMP_DIR"' EXIT
+
+(
+  umask 077
+  printf '%s' "$APP_STORE_CONNECT_API_KEY_P8" | sed 's/\\n/\n/g' > "$API_KEY_PATH"
+)
+chmod 600 "$API_KEY_PATH"
 
 ARCH_LIST=( ${ARCHES_VALUE} )
 for ARCH in "${ARCH_LIST[@]}"; do
@@ -52,11 +62,11 @@ codesign --force --timestamp --options runtime --sign "$APP_IDENTITY" \
   "$APP_BUNDLE"
 
 DITTO_BIN=${DITTO_BIN:-/usr/bin/ditto}
-"$DITTO_BIN" --norsrc -c -k --keepParent "$APP_BUNDLE" "/tmp/${APP_NAME}Notarize.zip"
+"$DITTO_BIN" --norsrc -c -k --keepParent "$APP_BUNDLE" "$NOTARIZATION_ZIP"
 
 echo "Submitting for notarization"
-xcrun notarytool submit "/tmp/${APP_NAME}Notarize.zip" \
-  --key /tmp/codexbar-api-key.p8 \
+xcrun notarytool submit "$NOTARIZATION_ZIP" \
+  --key "$API_KEY_PATH" \
   --key-id "$APP_STORE_CONNECT_KEY_ID" \
   --issuer "$APP_STORE_CONNECT_ISSUER_ID" \
   --wait
