Skip to content

fix(ci): verify the app inside the dmg, not the removed standalone .app #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Cmochance merged 1 commit into from
May 29, 2026
Merged

fix(ci): verify the app inside the dmg, not the removed standalone .app #49

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 18 additions & 9 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,19 +170,28 @@ jobs:
fi
npm run ${{ matrix.tauri_script }}

- name: Verify macOS .app is codesigned
- name: Verify macOS .app inside dmg is codesigned
if: runner.os == 'macOS'
shell: bash
run: |
# Fail early if the bundle came out unsigned — an unsigned .app is
# exactly what shows "is damaged" on Sequoia with no way to open.
# Mirrors codex-app-transfer release.yml's codesign sanity check.
app="$(find src-tauri/target dist -type d -name 'codex_switch.app' -print -quit 2>/dev/null)"
if [[ -z "$app" ]]; then
echo "::error::no codex_switch.app found to verify"; exit 1
# Verify the app INSIDE the dmg — the release finalize step
# (macos:artifacts:finalize:release) removes the standalone .app and
# keeps only the dmg/pkg, so that's what users actually download. An
# unsigned/mismatched bundle is exactly what shows "is damaged" on
# Sequoia. Mirrors codex-app-transfer's codesign sanity check.
dmg="$(find src-tauri/target dist -name '*.dmg' -print -quit 2>/dev/null)"
if [[ -z "$dmg" ]]; then echo "::error::no dmg found to verify"; exit 1; fi
echo "verifying app inside: $dmg"
hdiutil attach "$dmg" -nobrowse -mountpoint /tmp/verify-dmg
app="$(find /tmp/verify-dmg -maxdepth 2 -name '*.app' -print -quit)"
rc=1
if [[ -n "$app" ]]; then
codesign --verify --deep --strict --verbose=2 "$app"; rc=$?
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 set -e causes immediate exit on codesign failure, skipping DMG detach cleanup

GitHub Actions runs shell: bash steps with set -eo pipefail by default. On line 189, codesign --verify --deep --strict --verbose=2 "$app"; rc=$? — if codesign returns non-zero, set -e terminates the script immediately before rc=$? executes. The then-body of an if statement is not exempt from set -e (only the if condition itself is exempt). This means when codesign verification fails (the exact scenario this check is designed to catch), hdiutil detach on line 193 is never reached (leaving the DMG mounted) and the descriptive error message on line 194 is never printed. The step does still fail (which is correct), but the cleanup and user-facing error message are bypassed.

The fix is to use || rc=$? or && rc=0 || rc=$? so that the non-zero exit code is captured without triggering set -e.

Suggested change
codesign --verify --deep --strict --verbose=2 "$app"; rc=$?
codesign --verify --deep --strict --verbose=2 "$app" && rc=0 || rc=$?
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

else
echo "::error::no .app inside dmg"
fi
echo "verifying codesign on: $app"
codesign --verify --deep --strict --verbose=2 "$app"
hdiutil detach /tmp/verify-dmg >/dev/null 2>&1 || true
[[ $rc -eq 0 ]] || { echo "::error::dmg app failed codesign verify"; exit 1; }

- name: Upload artifacts
uses: actions/upload-artifact@v4
Expand Down
Loading