Run or recover OpenClaw macOS signing, notarization, and release promotion.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "release-openclaw-mac" skill from askskill: 1. Download https://raw.githubusercontent.com/openclaw/openclaw/main/.agents/skills/release-openclaw-mac/SKILL.md 2. Save it as ~/.claude/skills/release-openclaw-mac/SKILL.md 3. Reload skills and tell me it's ready
Based on the OpenClaw Mac Release process, help me troubleshoot a macOS release notarization that immediately returns 401. Give me a safe check order covering ASC credentials, notarytool history, and GitHub Secrets precautions.
An ordered troubleshooting checklist covering credential validation, key consistency, and notarization settings.
Generate execution guidance for an OpenClaw private mac preflight. Use the release branch as source_ref, keep the stable tag on the original commit, and explain how preflight and validation SHAs must match.
Maintainer-facing instructions explaining the relationship between source_ref, tag, and validation requirements.
Summarize the 1Password prerequisites in the OpenClaw mac release flow: tmux session usage, service token checks, op whoami, and what to do when Touch ID is unavailable.
A concise prerequisite checklist for safely preparing secret access and authentication.
Developers or release maintainers can use it when a stable tag is already live but macOS-only packaging fixes still need to be shipped. It is especially useful for recovery cases where the branch variation differs from the original tagged commit.
When macOS artifacts sign successfully but notarization fails, or notarytool returns 401, this skill helps troubleshoot ASC credentials, consistent secret sourcing, and the Apple notarization submission flow. It also highlights upload flags that can cause misleading errors.
Maintainers can use it when setting GitHub Secrets in the private release repository to confirm which ASC fields are required and when they should be updated. It emphasizes that all three fields must come from the same 1Password item and be locally validated first.
The document outlines the OpenClaw macOS release and recovery flow. It covers how to obtain ASC credentials from private configuration and 1Password, how to safely set GitHub Secrets in the private release environment, and how preflight, validation, tags, and source_ref must align. It also highlights notarization troubleshooting tips, including 401 causes and the recommended submission flags, plus example workflow dispatch commands.
Use with $release-openclaw-maintainer, $release-openclaw-ci, $one-password, and $release-private if it exists when stable macOS assets, private mac preflight, notarization, appcast promotion, or mac release recovery is involved.
$release-private.private_key_p8, key_id, issuer_id.xcrun notarytool submit fails with HTTP status code: 401. Unauthenticated.xcrun notarytool history before setting GitHub secrets.$one-password: all op work inside one persistent tmux session, no secret output.$release-private when available.op whoami; never print token values.OP_BIOMETRIC_UNLOCK_ENABLED=false for the manual op account add --signin path.Target private repo environment: openclaw/releases-private, env mac-release.
Set only after local notary auth validation:
APP_STORE_CONNECT_API_KEY_P8APP_STORE_CONNECT_KEY_IDAPP_STORE_CONNECT_ISSUER_IDDo not update these from mixed sources. All three ASC fields must come from the same 1Password item.
source_ref=release/YYYY.M.D for private mac preflight/validation when building that branch variation.tag=vYYYY.M.D pointing at the original stable release commit.source_ref; promotion rejects mismatched proof.scripts/notarize-mac-artifact.sh.xcrun notarytool submit should use --no-s3-acceleration; accelerated upload can surface misleading 401s even when notarytool history succeeds.Private preflight:
gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-f tag=vYYYY.M.D \
-f source_ref=release/YYYY.M.D \
-f preflight_only=true \
-f smoke_test_only=false \
-f allow_late_calver_recovery=false \
-f public_release_branch=release/YYYY.M.D
Private validation for a branch-variation preflight:
gh workflow run openclaw-macos-validate.yml --repo openclaw/releases-private --ref main \
-f tag=vYYYY.M.D \
-f source_ref=release/YYYY.M.D
Real publish:
gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-f tag=vYYYY.M.D \
-f preflight_only=false \
-f smoke_test_only=false \
-f preflight_run_id=<successful-preflight-run> \
-f validate_run_id=<successful-validation-run> \
-f allow_late_calver_recovery=false \
-f public_release_branch=release/YYYY.M.D
gh release view vYYYY.M.D --repo openclaw/openclaw shows zip, dmg, dSYM zip, not draft, not prerelease.main appcast.xml points at OpenClaw-YYYY.M.D.zip.sparkle:version, sparkle:shortVersionString, length, and sparkle:edSignature.It is used to run or recover the OpenClaw macOS release process, including signing, notarization, private preflight, validation, and asset promotion. The docs also indicate it works alongside related skills and private configuration.
The docs show it depends on ASC fields: private_key_p8, key_id, and issuer_id, which should be resolved from private configuration and 1Password. `op` work should be done inside a persistent tmux session, and secret values must not be printed.
First check whether the ASC key is stale or revoked, and validate candidate credentials with `xcrun notarytool history`. The docs also say to use `--no-s3-acceleration`, because accelerated uploads can produce misleading 401 errors.
Fetch GitHub issues, create fixes, open PRs, and handle reviews.
Convert text to speech locally and offline with sherpa-onnx, no cloud needed.
Regenerate OpenClaw release changelog sections from Git history before releases.
Prepare and verify OpenClaw stable or beta releases and release notes.
Automate web page workflows, login checks, tab handling, and recovery steps.
Verify an OpenClaw release is fully published and working across all channels.
Run, debug, monitor, and summarize OpenClaw release CI workflows.
Draft OpenClaw release announcements and testing guidance from release evidence.
Refactor OpenClaw docs pages with source-checked preservation, clearer structure, and verification.
Automate OpenClaw nightly releases, branch maintenance, and forward-porting to main.
Inspect, patch, validate, and publish OpenClaw GHSA advisories securely.
Choose and run the safest, cheapest OpenClaw test and validation path.