posit-dev · georgestagg · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026
diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml
@@ -122,46 +122,91 @@ jobs:
           APPLE_API_KEY_BASE64: ${{ secrets.GWS_APPLE_API_KEY_BASE64 }}
           APPLE_API_KEY: ${{ secrets.GWS_APPLE_API_KEY }}
 
-      - name: Configure macOS installer signing
+      - name: Import signing certificates
         env:
-          APPLE_SIGN_IDENTITY: ${{ secrets.GWS_APPLE_SIGN_IDENTITY }}
+          APPLICATION_P12: ${{ secrets.GWS_APPLE_SIGN_APPLICATION_P12 }}
+          INSTALLER_P12: ${{ secrets.GWS_APPLE_SIGN_INSTALLER_P12 }}
+          P12_PASSWORD: ${{ secrets.GWS_APPLE_SIGN_PW }}
         run: |
-          cat <<EOF >> src/Cargo.toml
-
-          [package.metadata.packager.macos]
-          signing-identity = "${APPLE_SIGN_IDENTITY}"
-          entitlements = "entitlements.plist"
-          EOF
-
-      - name: Install cargo-packager
-        run: cargo install cargo-packager --locked
+          KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db"
+          KEYCHAIN_PW="$(openssl rand -hex 32)"
+          security create-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN_PATH"
+          security set-keychain-settings "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN_PATH"
+          echo -n "$APPLICATION_P12" | base64 --decode -o "$RUNNER_TEMP/app.p12"
+          echo -n "$INSTALLER_P12"   | base64 --decode -o "$RUNNER_TEMP/inst.p12"
+          security import "$RUNNER_TEMP/app.p12"  -P "$P12_PASSWORD" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -T /usr/bin/pkgbuild
+          security import "$RUNNER_TEMP/inst.p12" -P "$P12_PASSWORD" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -T /usr/bin/pkgbuild
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PW" "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
+
+      - name: Compute version from tag
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          echo "VERSION=$VERSION" >> "$GITHUB_ENV"
 
       - name: Build ggsql binary (x86_64)
         run: cargo build --release --bin ggsql --bin ggsql-jupyter
 
-      - name: Bundle and sign dynamic library dependencies
+      - name: Bundle dynamic library dependencies
         run: |
-          dylibbundler -cd -of -b -x target/release/ggsql -d ./libs/ -p @executable_path/../Resources/libs/
-          dylibbundler -cd -of -b -x target/release/ggsql-jupyter -d ./libs/ -p @executable_path/../Resources/libs/
+          dylibbundler -cd -of -b -x target/release/ggsql         -d ./libs/ -p "@executable_path/../lib/ggsql$VERSION/"
+          dylibbundler -cd -of -b -x target/release/ggsql-jupyter -d ./libs/ -p "@executable_path/../lib/ggsql$VERSION/"
 
-      - name: Ad-hoc sign binaries
+      - name: Sign binaries and dylibs (Developer ID Application)
+        env:
+          SIGN_ID: "Developer ID Application: ${{ secrets.GWS_APPLE_SIGN_IDENTITY }}"
         run: |
-          codesign --force --sign - target/release/ggsql
-          codesign --force --sign - target/release/ggsql-jupyter
-
-      - name: Build DMG installer (x86_64)
-        run: cargo packager --release --formats dmg
+          # Sign bundled dylibs first (inside-out), replacing dylibbundler's ad-hoc sigs
+          find ./libs -type f \( -name "*.dylib" -o -name "*.so" \) -print0 | \
+            xargs -0 -I{} codesign --force --options runtime --timestamp --sign "$SIGN_ID" "{}"
+          # Then sign the executables with hardened runtime + entitlements
+          codesign --force --options runtime --timestamp \
+            --entitlements src/entitlements.plist \
+            --sign "$SIGN_ID" target/release/ggsql
+          codesign --force --options runtime --timestamp \
+            --entitlements src/entitlements.plist \
+            --sign "$SIGN_ID" target/release/ggsql-jupyter
+
+      - name: Build and notarize PKG installer (x86_64)
+        # NOTE: --sign uses the Developer ID *Installer* cert (signs .pkg only),
+        # distinct from the Developer ID Application cert used to sign Mach-O above.
         env:
-          APPLE_CERTIFICATE: ${{ secrets.GWS_APPLE_SIGN_P12 }}
-          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.GWS_APPLE_SIGN_PW }}
+          SIGN_ID: "Developer ID Installer: ${{ secrets.GWS_APPLE_SIGN_IDENTITY }}"
           APPLE_API_KEY: ${{ secrets.GWS_APPLE_API_KEY }}
           APPLE_API_ISSUER: ${{ secrets.GWS_APPLE_API_ISSUER }}
-
-      - name: Upload DMG installer (x86_64)
+        run: |
+          PKG_NAME="ggsql_${VERSION}_x86_64.pkg"
+          mkdir -p pkg-payload/usr/local/bin "pkg-payload/usr/local/lib/ggsql$VERSION"
+          cp target/release/ggsql          pkg-payload/usr/local/bin/
+          cp target/release/ggsql-jupyter  pkg-payload/usr/local/bin/
+          cp -R ./libs/. "pkg-payload/usr/local/lib/ggsql$VERSION/"
+          mkdir -p pkg-scripts
+          cat > pkg-scripts/postinstall <<EOF
+          #!/bin/sh
+          mkdir -p /usr/local/bin /usr/local/lib/ggsql$VERSION
+          EOF
+          chmod 755 pkg-scripts/postinstall
+          pkgbuild \
+            --root ./pkg-payload \
+            --install-location / \
+            --identifier co.posit.ggsql \
+            --version "$VERSION" \
+            --scripts ./pkg-scripts \
+            --sign "$SIGN_ID" \
+            "$PKG_NAME"
+          xcrun notarytool submit "$PKG_NAME" \
+            --key ~/.private_keys/AuthKey_${APPLE_API_KEY}.p8 \
+            --key-id "$APPLE_API_KEY" \
+            --issuer "$APPLE_API_ISSUER" \
+            --wait
+          xcrun stapler staple "$PKG_NAME"
+
+      - name: Upload PKG installer (x86_64)
         uses: actions/upload-artifact@v4
         with:
-          name: ggsql-macos-dmg-x86_64
-          path: src/target/release/packager/*.dmg
+          name: ggsql-macos-pkg-x86_64
+          path: ggsql_*_x86_64.pkg
           retention-days: 30
 
   build-macos-aarch64:
@@ -200,41 +245,91 @@ jobs:
           APPLE_API_KEY_BASE64: ${{ secrets.GWS_APPLE_API_KEY_BASE64 }}
           APPLE_API_KEY: ${{ secrets.GWS_APPLE_API_KEY }}
 
-      - name: Configure macOS installer signing
+      - name: Import signing certificates
         env:
-          APPLE_SIGN_IDENTITY: ${{ secrets.GWS_APPLE_SIGN_IDENTITY }}
+          APPLICATION_P12: ${{ secrets.GWS_APPLE_SIGN_APPLICATION_P12 }}
+          INSTALLER_P12: ${{ secrets.GWS_APPLE_SIGN_INSTALLER_P12 }}
+          P12_PASSWORD: ${{ secrets.GWS_APPLE_SIGN_PW }}
         run: |
-          cat <<EOF >> src/Cargo.toml
-
-          [package.metadata.packager.macos]
-          signing-identity = "${APPLE_SIGN_IDENTITY}"
-          entitlements = "entitlements.plist"
-          EOF
-
-      - name: Install cargo-packager
-        run: cargo install cargo-packager --locked
+          KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db"
+          KEYCHAIN_PW="$(openssl rand -hex 32)"
+          security create-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN_PATH"
+          security set-keychain-settings "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN_PATH"
+          echo -n "$APPLICATION_P12" | base64 --decode -o "$RUNNER_TEMP/app.p12"
+          echo -n "$INSTALLER_P12"   | base64 --decode -o "$RUNNER_TEMP/inst.p12"
+          security import "$RUNNER_TEMP/app.p12"  -P "$P12_PASSWORD" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -T /usr/bin/pkgbuild
+          security import "$RUNNER_TEMP/inst.p12" -P "$P12_PASSWORD" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -T /usr/bin/pkgbuild
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PW" "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
+
+      - name: Compute version from tag
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          echo "VERSION=$VERSION" >> "$GITHUB_ENV"
 
       - name: Build ggsql binary (aarch64)
         run: cargo build --release --bin ggsql --bin ggsql-jupyter
 
-      - name: Bundle and sign dynamic library dependencies
+      - name: Bundle dynamic library dependencies
         run: |
-          dylibbundler -cd -of -b -x target/release/ggsql -d ./libs/ -p @executable_path/../Resources/libs/
-          dylibbundler -cd -of -b -x target/release/ggsql-jupyter -d ./libs/ -p @executable_path/../Resources/libs/
+          dylibbundler -cd -of -b -x target/release/ggsql         -d ./libs/ -p "@executable_path/../lib/ggsql$VERSION/"
+          dylibbundler -cd -of -b -x target/release/ggsql-jupyter -d ./libs/ -p "@executable_path/../lib/ggsql$VERSION/"
 
-      - name: Build DMG installer (aarch64)
-        run: cargo packager --release --formats dmg
+      - name: Sign binaries and dylibs (Developer ID Application)
         env:
-          APPLE_CERTIFICATE: ${{ secrets.GWS_APPLE_SIGN_P12 }}
-          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.GWS_APPLE_SIGN_PW }}
+          SIGN_ID: "Developer ID Application: ${{ secrets.GWS_APPLE_SIGN_IDENTITY }}"
+        run: |
+          # Sign bundled dylibs first (inside-out), replacing dylibbundler's ad-hoc sigs
+          find ./libs -type f \( -name "*.dylib" -o -name "*.so" \) -print0 | \
+            xargs -0 -I{} codesign --force --options runtime --timestamp --sign "$SIGN_ID" "{}"
+          # Then sign the executables with hardened runtime + entitlements
+          codesign --force --options runtime --timestamp \
+            --entitlements src/entitlements.plist \
+            --sign "$SIGN_ID" target/release/ggsql
+          codesign --force --options runtime --timestamp \
+            --entitlements src/entitlements.plist \
+            --sign "$SIGN_ID" target/release/ggsql-jupyter
+
+      - name: Build and notarize PKG installer (aarch64)
+        # NOTE: --sign uses the Developer ID *Installer* cert (signs .pkg only),
+        # distinct from the Developer ID Application cert used to sign Mach-O above.
+        env:
+          SIGN_ID: "Developer ID Installer: ${{ secrets.GWS_APPLE_SIGN_IDENTITY }}"
           APPLE_API_KEY: ${{ secrets.GWS_APPLE_API_KEY }}
           APPLE_API_ISSUER: ${{ secrets.GWS_APPLE_API_ISSUER }}
-
-      - name: Upload DMG installer (aarch64)
+        run: |
+          PKG_NAME="ggsql_${VERSION}_aarch64.pkg"
+          mkdir -p pkg-payload/usr/local/bin "pkg-payload/usr/local/lib/ggsql$VERSION"
+          cp target/release/ggsql          pkg-payload/usr/local/bin/
+          cp target/release/ggsql-jupyter  pkg-payload/usr/local/bin/
+          cp -R ./libs/. "pkg-payload/usr/local/lib/ggsql$VERSION/"
+          mkdir -p pkg-scripts
+          cat > pkg-scripts/postinstall <<EOF
+          #!/bin/sh
+          mkdir -p /usr/local/bin /usr/local/lib/ggsql$VERSION
+          EOF
+          chmod 755 pkg-scripts/postinstall
+          pkgbuild \
+            --root ./pkg-payload \
+            --install-location / \
+            --identifier co.posit.ggsql \
+            --version "$VERSION" \
+            --scripts ./pkg-scripts \
+            --sign "$SIGN_ID" \
+            "$PKG_NAME"
+          xcrun notarytool submit "$PKG_NAME" \
+            --key ~/.private_keys/AuthKey_${APPLE_API_KEY}.p8 \
+            --key-id "$APPLE_API_KEY" \
+            --issuer "$APPLE_API_ISSUER" \
+            --wait
+          xcrun stapler staple "$PKG_NAME"
+
+      - name: Upload PKG installer (aarch64)
         uses: actions/upload-artifact@v4
         with:
-          name: ggsql-macos-dmg-aarch64
-          path: src/target/release/packager/*.dmg
+          name: ggsql-macos-pkg-aarch64
+          path: ggsql_*_aarch64.pkg
           retention-days: 30
 
   build-linux-x86_64:
@@ -412,7 +507,7 @@ jobs:
           files: |
             artifacts/**/*.exe
             artifacts/**/*.msi
-            artifacts/**/*.dmg
+            artifacts/**/*.pkg
             artifacts/**/*.deb
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,7 +16,7 @@ default-members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.2.6"
+version = "0.2.7"
 edition = "2021"
 authors = ["ggsql Team"]
 license = "MIT"
@@ -26,8 +26,8 @@ description = "A declarative visualization language that extends SQL with powerf
 
 [workspace.dependencies]
 # workspace packages
-tree-sitter-ggsql = { path = "tree-sitter-ggsql", version = "0.2.6" }
-ggsql = { path = "src", version = "0.2.6" }
+tree-sitter-ggsql = { path = "tree-sitter-ggsql", version = "0.2.7" }
+ggsql = { path = "src", version = "0.2.7" }
 
 # Parsing
 csscolorparser = "0.8.1"

diff --git a/doc/get_started/installation.qmd b/doc/get_started/installation.qmd
@@ -19,7 +19,7 @@ ggsql provides native installers for Windows, macOS, and Linux. Choose the best
 |----------|----------|------|
 | **Windows** | `.exe` | |
 | | `.msi` | |
-| **macOS** | `.dmg` | |
+| **macOS** | `.pkg` | |
 | **Linux** | `.deb` | |
 
 Download from [GitHub Releases](https://github.com/posit-dev/ggsql/releases)
@@ -64,7 +64,7 @@ Download from [GitHub Releases](https://github.com/posit-dev/ggsql/releases)
   const patterns = {
     windows_exe: /^ggsql[_-]\d.*x64.*-setup\.exe$/i,
     windows_msi: /^ggsql[_-]\d.*x64.*\.msi$/i,
-    macos: /^ggsql[_-]\d.*(aarch64|arm64).*\.dmg$/i,
+    macos: /^ggsql[_-]\d.*(aarch64|arm64).*\.pkg$/i,
     linux: /^ggsql[_-]\d.*amd64.*\.deb$/i
   };
 

diff --git a/doc/index.qmd b/doc/index.qmd
@@ -119,7 +119,7 @@ uv tool install ggsql
 
   const patterns = {
     windows_exe: /^ggsql[_-]\d.*x64.*-setup\.exe$/i,
-    macos: /^ggsql[_-]\d.*(aarch64|arm64).*\.dmg$/i,
+    macos: /^ggsql[_-]\d.*(aarch64|arm64).*\.pkg$/i,
     linux: /^ggsql[_-]\d.*amd64.*\.deb$/i
   };
 

diff --git a/ggsql-jupyter/pyproject.toml b/ggsql-jupyter/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "ggsql-jupyter"
-version = "0.2.6"
+version = "0.2.7"
 description = "Jupyter kernel for ggsql - SQL extension for declarative data visualization"
 readme = "README.md"
 license = { text = "MIT" }

diff --git a/ggsql-python/Cargo.toml b/ggsql-python/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "ggsql-python"
-version = "0.2.6"
+version = "0.2.7"
 edition = "2021"
 authors.workspace = true
 license.workspace = true

diff --git a/ggsql-python/pyproject.toml b/ggsql-python/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "ggsql"
-version = "0.2.6"
+version = "0.2.7"
 description = "SQL extension for declarative data visualization"
 readme = "README.md"
 requires-python = ">=3.10"

diff --git a/ggsql-python/python/ggsql/__init__.py b/ggsql-python/python/ggsql/__init__.py
@@ -27,7 +27,7 @@
     "execute",
     "render_altair",
 ]
-__version__ = "0.2.6"
+__version__ = "0.2.7"
 
 # Type alias for any Altair chart type
 AltairChart = Union[

diff --git a/ggsql-vscode/CHANGELOG.md b/ggsql-vscode/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 0.2.7
+
+Alpha release.
+
+- Switch macOS installer from .dmg to .pkg
+
 ## 0.2.6
 
 Alpha release.

diff --git a/ggsql-vscode/package-lock.json b/ggsql-vscode/package-lock.json