fix(ci): ad-hoc codesign macOS release bundles (fix "is damaged")#48
Merged
Conversation
Downloads of the macOS app showed "codex_switch.app is damaged" on Sequoia 15+ with no "Open anyway" option. Root cause: the `--no-sign` build left only the Rust linker's binary-level ad-hoc signature (flags 0x20002 adhoc,linker-signed) with NO full bundle codesign, so `codesign --verify` reported "code has no resources but signature indicates they must be present" -- a mismatched signature Gatekeeper rejects outright once the download is quarantined. Fix (mirrors codex-app-transfer release.yml signing path): - package.json: drop `--no-sign` from tauri:build:macos-release. - build.yml Build step exports APPLE_SIGNING_IDENTITY -- a real Developer ID when the APPLE_SIGNING_IDENTITY secret is set, else ad-hoc "-" -- so Tauri does a complete `codesign --sign` of the bundle. - build.yml adds a `codesign --verify --deep --strict` gate so an unsigned/mismatched bundle fails the build instead of shipping. Verified locally: an ad-hoc release build yields flags 0x10002 (adhoc,runtime) with a clean codesign --verify, and the signature survives macos:pkg + finalize inside the dmg. Also records #46's recursive-glob fix that attaches Linux assets.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Downloading the macOS app and opening it shows "codex_switch.app is damaged, move to Trash" on macOS Sequoia 15+, with no "Open anyway" option.
Root cause (verified against the CI-built dmg)
--no-signleft only the Rust linker's binary-level ad-hoc signature (flags 0x20002 adhoc,linker-signed) with no full bundle codesign.codesign --verifyon the shipped app reports:— a mismatched/incomplete signature. Once the download carries a
com.apple.quarantineflag, Gatekeeper rejects it outright as "is damaged" (not the softer "unverified developer → Open anyway"). It is not "completely unsigned" (the linker already ad-hoc signs the Mach-O); the gap is the missing bundle-level codesign.Fix (mirrors codex-app-transfer's release.yml signing path)
--no-signfromtauri:build:macos-release.APPLE_SIGNING_IDENTITY— a real Developer ID when theAPPLE_SIGNING_IDENTITYsecret is set, else ad-hoc-— so Tauri does a completecodesign --signof the bundle.codesign --verify --deep --strictgate before upload so an unsigned/mismatched bundle fails the build instead of shipping.Verification (local ad-hoc release build)
The produced dmg's app now has
flags 0x10002 (adhoc,runtime)and a cleancodesign --verify("valid on disk", "satisfies its Designated Requirement"), and the signature survivesmacos:pkg+finalizeinside the dmg.(Also records #46's recursive-glob fix so Linux
.deb/.AppImageattach to releases.)🤖 Generated with Claude Code