From 9abcfece66e90761ecd5aceb0a9129dbeb7eb508 Mon Sep 17 00:00:00 2001
From: Andi Anderson <andi@cloudflare.com>
Date: Fri, 12 Dec 2025 12:28:39 -0800
Subject: [PATCH 1/4] TUN-9886 notarize cloudflared

---
 .ci/scripts/mac/build.sh | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/.ci/scripts/mac/build.sh b/.ci/scripts/mac/build.sh
index 765c1de5..e66f2dc2 100755
--- a/.ci/scripts/mac/build.sh
+++ b/.ci/scripts/mac/build.sh
@@ -178,8 +178,13 @@ fi
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
   codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 
- # notarize the binary
- # TODO: TUN-5789
+  echo "Uploading ${BINARY_NAME} to apple portal."
+  xcrun notarytool submit                                                     \
+    "${BINARY_NAME}"                                                          \
+    --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db \
+    --verbose                                                                 \
+    --wait                                                                    \
+    --timeout 15m
 fi
 
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
@@ -207,8 +212,16 @@ if [[ ! -z "$PKG_SIGN_NAME" ]]; then
       --sign "${PKG_SIGN_NAME}" \
       ${PKGNAME}
 
-      # notarize the package
-      # TODO: TUN-5789
+  echo "Uploading ${PKG_NAME} to apple portal."
+  xcrun notarytool submit                                                     \
+    "${PKG_NAME}"                                                             \
+    --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db \
+    --verbose                                                                 \
+    --wait                                                                    \
+    --timeout 15m
+
+  echo "Stapling ${PKG_NAME}"
+  xcrun stapler staple "${PKG_NAME}"
 else
     pkgbuild --identifier com.cloudflare.${PRODUCT} \
       --version ${VERSION} \

From efd0189121e1f7a860910d5d5006464fd65020e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20=22Pisco=22=20Fernandes?=
 <joaocarlos@cloudflare.com>
Date: Wed, 21 Jan 2026 13:33:53 +0000
Subject: [PATCH 2/4] Revert "TUN-9886 notarize cloudflared"

This reverts commit 9abcfece66e90761ecd5aceb0a9129dbeb7eb508.
---
 .ci/scripts/mac/build.sh | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/.ci/scripts/mac/build.sh b/.ci/scripts/mac/build.sh
index e66f2dc2..765c1de5 100755
--- a/.ci/scripts/mac/build.sh
+++ b/.ci/scripts/mac/build.sh
@@ -178,13 +178,8 @@ fi
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
   codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 
-  echo "Uploading ${BINARY_NAME} to apple portal."
-  xcrun notarytool submit                                                     \
-    "${BINARY_NAME}"                                                          \
-    --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db \
-    --verbose                                                                 \
-    --wait                                                                    \
-    --timeout 15m
+ # notarize the binary
+ # TODO: TUN-5789
 fi
 
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
@@ -212,16 +207,8 @@ if [[ ! -z "$PKG_SIGN_NAME" ]]; then
       --sign "${PKG_SIGN_NAME}" \
       ${PKGNAME}
 
-  echo "Uploading ${PKG_NAME} to apple portal."
-  xcrun notarytool submit                                                     \
-    "${PKG_NAME}"                                                             \
-    --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db \
-    --verbose                                                                 \
-    --wait                                                                    \
-    --timeout 15m
-
-  echo "Stapling ${PKG_NAME}"
-  xcrun stapler staple "${PKG_NAME}"
+      # notarize the package
+      # TODO: TUN-5789
 else
     pkgbuild --identifier com.cloudflare.${PRODUCT} \
       --version ${VERSION} \

From 2b95c610449611a21f08b38369db36215e5d5565 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20=22Pisco=22=20Fernandes?=
 <joaocarlos@cloudflare.com>
Date: Fri, 23 Jan 2026 12:45:36 +0000
Subject: [PATCH 3/4] Revert "TUN-9863: Update pipelines to use cloudflared EV
 Certificate"

This reverts commit 789a9b110db59c37d85b6b02a857e6a19631f0ad.
---
 .ci/windows.gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.ci/windows.gitlab-ci.yml b/.ci/windows.gitlab-ci.yml
index f18db42c..4a1bb35a 100644
--- a/.ci/windows.gitlab-ci.yml
+++ b/.ci/windows.gitlab-ci.yml
@@ -56,7 +56,7 @@ windows-load-env-variables:
       vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
       file: false
     KEY_VAULT_CERTIFICATE:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate_v2/key_vault_certificate@kv
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv
       file: false
   artifacts:
     access: 'none'

From d7c62aed71e2aaccbe9230b9928f0e52a53f11c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20=22Pisco=22=20Fernandes?=
 <joaocarlos@cloudflare.com>
Date: Fri, 23 Jan 2026 12:45:53 +0000
Subject: [PATCH 4/4] Release 2026.1.2

---
 RELEASE_NOTES | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index a6e8807e..1f12210e 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -1,3 +1,8 @@
+2026.1.2
+- 2026-01-23 Revert "TUN-9863: Update pipelines to use cloudflared EV Certificate"
+- 2026-01-21 Revert "TUN-9886 notarize cloudflared"
+- 2025-12-12 TUN-9886 notarize cloudflared
+
 2026.1.1
 - 2026-01-19 fix: Update boto3 to run on trixie
 - 2026-01-19 fix: Fix wixl bundling tool for windows msi packages