fix(setup): surface codesign failures, verify signatures, exit non-zero on Apple Silicon (closes #1254)#1525
Open
mvanhorn wants to merge 1 commit into
Conversation
…ro on Apple Silicon Closes garrytan#1254. Three changes to the codesign loop in setup (lines 288-303): 1. Capture codesign stderr to a tempfile and print it via the log helper. The previous `2>/dev/null` swallowed every diagnostic, so users hit SIGKILL minutes later with no breadcrumb explaining what went wrong. 2. Run `codesign --verify --strict` after signing to catch silent corruption. The reporter's repro had 5/5 binaries unsigned despite a clean setup exit; the verify step makes that case visible at setup time. 3. Track failures and exit 1 when any binary fails to sign or verify. The previous `log "warning: ..."` returned 0 so setup silently succeeded; now it fails loud per the CLAUDE.md "never silent failures" guidance. The Darwin+arm64 guard is unchanged. Other platforms see no behavior change. The codesign machinery itself is fine (the reporter's manual `codesign --remove-signature && codesign -s - -f` recipe works on the same machine); only the wrapper needed hardening. test/setup-codesign.test.ts: 6 pass / 0 fail. Old assertions about 'warning, not fatal' replaced with assertions for the new fail-loud behavior. Existing for-loop coverage expanded to assert all 5 binaries (the setup loop already had 5; the test only checked 4). Reported by @lucascaro.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Setup's Apple Silicon codesign loop now surfaces codesign's stderr, verifies each signature actually applied, and exits non-zero when any binary fails to sign. The previous wrapper swallowed every error and exited 0 even when 5 of 5 binaries were left unsigned, so users hit SIGKILL minutes later with no breadcrumb.
Why this matters
That's @lucascaro on #1254. The reporter pinpointed the codesign loop in
setuplines 247-264 (now 288-303 after subsequent edits), reproduced 5/5 binaries unsigned despite a clean setup exit, and confirmed the manual recipe (codesign --remove-signature && codesign -s - -f) works on the same machine. The codesign machinery itself is fine; only the wrapper was lying.The original codesign loop landed in #1056 / v0.18.4.0 to fix #997 (the SIGKILL class). It was correct on the happy path but its three failure modes were all silent:
2>/dev/nullswallowed diagnostics,log "warning: ..."returned 0, and there was no verification step to catch a signature that didn't take.Changes
setuplines 288-303 (the Darwin+arm64 codesign block) now:codesign --remove-signatureandcodesign -s - -fstderr to a tempfile and prints it via the existingloghelper if non-empty. Users see exactly what codesign said.codesign --verify --strict "$_bin_path"after signing. Catches the silent-corruption case the reporter hit (signature applied but doesn't actually verify)._codesign_failurescounter. Both signing failures and verification failures bump it.Testing
bun test test/setup-codesign.test.ts: 6 pass / 0 fail. Old assertions about "warning, not fatal" replaced with assertions for the new fail-loud structure. Theset -esmoke test still passes (the codesign block is syntactically valid bash). Existing for-loop coverage expanded to assert all 5 binaries the setup loop iterates (the test was only checking 4; setup itself already had 5).Fixes #1254.
AI was used for assistance.