From 1c20835f4c585aedbfdacd25cbd955885965c72d Mon Sep 17 00:00:00 2001
From: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>
Date: Wed, 7 May 2025 13:19:33 +0200
Subject: [PATCH 1/6] debug ddev build

---
 .github/workflows/build-ddev.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index aba0cfa53236c..03a16a5a890c0 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -545,12 +545,20 @@ jobs:
 
     - name: Sign PKG
       run: >-
-        rcodesign sign -vv
+        rcodesign sign -vvv --deep --strict
         --pem-source /tmp/certificate-installer.pem
         --pem-source /tmp/private-key-installer.pem
         "staged/${{ steps.pkg.outputs.path }}"
         "signed/${{ steps.pkg.outputs.path }}"
 
+    - name: pkgutil check signature
+      run: >-
+        pkgutil --check-signature "signed/${{ steps.pkg.outputs.path }}"
+
+    - name: check timestamp
+      run: >-
+        codesign -dvv "signed/${{ steps.pkg.outputs.path }}
+
     - name: Notarize PKG
       run: >-
         rcodesign notary-submit

From 6ef4fb0d57825c68ca0e8cbfc7aab6e040fd0233 Mon Sep 17 00:00:00 2001
From: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>
Date: Wed, 7 May 2025 13:32:17 +0200
Subject: [PATCH 2/6] remove options that won't work for rcodesign

---
 .github/workflows/build-ddev.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index 03a16a5a890c0..443d7d3208a04 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -545,7 +545,7 @@ jobs:
 
     - name: Sign PKG
       run: >-
-        rcodesign sign -vvv --deep --strict
+        rcodesign sign -vvv
         --pem-source /tmp/certificate-installer.pem
         --pem-source /tmp/private-key-installer.pem
         "staged/${{ steps.pkg.outputs.path }}"

From d54e525714bf34a81e3afdfb3e2c39948b3db20f Mon Sep 17 00:00:00 2001
From: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>
Date: Wed, 7 May 2025 13:45:59 +0200
Subject: [PATCH 3/6] fix quote

---
 .github/workflows/build-ddev.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index 443d7d3208a04..acffc7391b16f 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -557,7 +557,7 @@ jobs:
 
     - name: check timestamp
       run: >-
-        codesign -dvv "signed/${{ steps.pkg.outputs.path }}
+        codesign -dvv "signed/${{ steps.pkg.outputs.path }}"
 
     - name: Notarize PKG
       run: >-

From 84569b9fbeb9a83e74b8d21644df0e019ec3e742 Mon Sep 17 00:00:00 2001
From: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>
Date: Wed, 7 May 2025 14:19:09 +0200
Subject: [PATCH 4/6] remove useless check

---
 .github/workflows/build-ddev.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index acffc7391b16f..881e215c143a0 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -555,9 +555,11 @@ jobs:
       run: >-
         pkgutil --check-signature "signed/${{ steps.pkg.outputs.path }}"
 
-    - name: check timestamp
-      run: >-
-        codesign -dvv "signed/${{ steps.pkg.outputs.path }}"
+    # codesign thinks the pkg file isn't signed at all
+    # https://github.com/DataDog/integrations-core/actions/runs/14882554334/job/41794332393?pr=20234#step:28:15
+    # - name: check timestamp
+    #   run: >-
+    #     codesign -dvv "signed/${{ steps.pkg.outputs.path }}"
 
     - name: Notarize PKG
       run: >-

From bc180f829e067d45f3c9c5fe22d17c5799845de6 Mon Sep 17 00:00:00 2001
From: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>
Date: Wed, 7 May 2025 14:58:02 +0200
Subject: [PATCH 5/6] add check with rcodesign

---
 .github/workflows/build-ddev.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index 881e215c143a0..6cad3a261d34c 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -555,6 +555,9 @@ jobs:
       run: >-
         pkgutil --check-signature "signed/${{ steps.pkg.outputs.path }}"
 
+    - name: rcodesign print-signature-info
+      run: >-
+        rcodesign print-signature-info "signed/${{ steps.pkg.outputs.path }}"
     # codesign thinks the pkg file isn't signed at all
     # https://github.com/DataDog/integrations-core/actions/runs/14882554334/job/41794332393?pr=20234#step:28:15
     # - name: check timestamp

From 6bc103c54d521471cae871d96e609d0f33285665 Mon Sep 17 00:00:00 2001
From: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>
Date: Fri, 9 May 2025 12:18:09 +0200
Subject: [PATCH 6/6] wait for notarization service processing

---
 .github/workflows/build-ddev.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index 6cad3a261d34c..e80b17c222258 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -447,6 +447,7 @@ jobs:
         cd ../notarize-bin
         for f in *; do
           rcodesign notary-submit -vv \
+          --wait \
           --api-key-path /tmp/app-store-connect.json \
           "$f"
         done