GoReleaser

Homebrew Tap

GoReleaser automatically publishes a Homebrew Cask to StackExchange/homebrew-tap on every release. This requires two components: a GitHub PAT for tap updates and macOS code signing + notarization.

Homebrew TAP GitHub PAT

GoReleaser needs a GitHub Personal Access Token to push the Homebrew Cask formula to the StackExchange/homebrew-tap repository.

Item

Value

Secret name

HOMEBREW_TAP_GITHUB_TOKEN (repository secret)

Scope

repo access on StackExchange org

Expires

February 6, 2027

Action needed before

~January 18, 2027

Links:

Rotation procedure

Generate a new PAT with the same scopes (repo on StackExchange org)
Update the repository secret HOMEBREW_TAP_GITHUB_TOKEN
Verify that the next GoReleaser release successfully updates the Homebrew tap
Create a new tracking issue for the next rotation cycle

macOS Code Signing & Notarization

Without code signing, macOS Gatekeeper shows an error on brew install:

Apple could not verify "dnscontrol" is free of malware that may harm your Mac or compromise your privacy.

GoReleaser supports macOS notarization via the notarize section in .goreleaser.yml:

notarize:
  macos:
    - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}'
      sign:
        certificate: "{{.Env.MACOS_SIGN_P12}}"
        password: "{{.Env.MACOS_SIGN_PASSWORD}}"
      notarize:
        issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}"
        key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}"
        key: "{{.Env.MACOS_NOTARY_KEY}}"

The enabled condition ensures that builds without secrets (e.g. local builds) continue normally.

Steps to activate

1. Apple Developer Program

Item

Value

Team Name

JCID B.V.

Team ID

TY4QRVP7MM

Expires

February 10, 2027

2. Developer ID Application Certificate

Open Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority...
Choose Saved to disk, save the .certSigningRequest file
Go to developer.apple.com/account/resources/certificates/add
Choose Developer ID Application, upload the .certSigningRequest file
Download the .cer file, double-click to import into Keychain

3. Export as .p12

Open Keychain Access, find Developer ID Application: [name]
Right-click > Export... > format .p12
Set a strong password (this becomes MACOS_SIGN_PASSWORD)

4. App Store Connect API Key

Go to appstoreconnect.apple.com/access/integrations/api
Generate API Key, role: Developer
Download the .p8 file (can only be downloaded once!)
Note the Key ID and Issuer ID

5. GitHub Actions Secrets

Encode the .p12 file:

base64 -i DeveloperIDApplication.p12 | pbcopy

Configure under repo > Settings > Secrets and variables > Actions:

Secret

Value

MACOS_SIGN_P12

Base64-encoded .p12 file

MACOS_SIGN_PASSWORD

Password of the .p12 certificate

MACOS_NOTARY_ISSUER_ID

Issuer ID from App Store Connect

MACOS_NOTARY_KEY_ID

Key ID of the API key

MACOS_NOTARY_KEY

Full contents of the .p8 file (including BEGIN/END lines)

6. Testing

export MACOS_SIGN_P12=$(base64 -i DeveloperIDApplication.p12)
export MACOS_SIGN_PASSWORD="password"
export MACOS_NOTARY_ISSUER_ID="..."
export MACOS_NOTARY_KEY_ID="..."
export MACOS_NOTARY_KEY="$(cat AuthKey_XXXXXX.p8)"
goreleaser release --snapshot --clean

Background

Homebrew --no-quarantine flag is deprecated since Homebrew 5.0.0 (November 2025)
There is no cask-level option to disable quarantine
Unsigned casks will be removed from the official Homebrew tap as of September 2026

PreviousHow to add a requested provider NextHow to build and ship a release

Last updated 57 minutes ago

hashtagHomebrew Tap

hashtagHomebrew TAP GitHub PAT

hashtagRotation procedure

hashtagmacOS Code Signing & Notarization

hashtagSteps to activate

hashtagBackground

Homebrew Tap

Homebrew TAP GitHub PAT

Rotation procedure

macOS Code Signing & Notarization

Steps to activate

Background