Revert passkey stack (nightly broken; users can't launch)

[austinywang]

Summary

Reverts the passkey/WebAuthn stack and all follow-up codesign attempts because nightly is currently unlaunchable for users. Reverting to restore a working nightly immediately; passkey support can be re-landed after the codesign/entitlement story is validated end-to-end against a real nightly artifact before shipping.

Reverted commits (newest first)

PR	Commit	Title
#2680	2afa083d	Fix codesign: path filter excluded all files inside outer .app
#2679	2ff7478c	Fix codesign: drop -perm filter so Sparkle Autoupdate gets signed
#2677	e88ff434	Fix codesign: three-pass signing for Sparkle nested executables
#2676	9412c790	Fix nightly codesign: sign nested plugins and frameworks before outer app
#2660	f550206f	Add passkey, WebAuthn, and FIDO2 support to browser pane

PRs #2676–#2680 were all follow-up attempts to fix codesign/notarization issues introduced by #2660 (new com.apple.developer.web-browser.public-key-credential entitlement, split embedded-vs-outer entitlements, and a reworked multi-pass signing flow). None of them landed a working nightly.

Not reverted

Intentionally preserved (the passkey PRs were interleaved with unrelated PRs on main):

• Add a system-wide hotkey to show and hide cmux windows #2389 — Add a system-wide hotkey to show and hide cmux windows
• Configurable surface tab bar font size #2645 — Configurable surface tab bar font size
• Fix workspace color picker context menu blinking #2566 — Fix workspace color picker context menu blinking
• Hide stale startup workspace portals during teardown #2658 — Hide workspace portal content before teardown
• Coalesce sidebar PR polling per-repo, drop checks fetch, state-machine the probe queue #2662 — Coalesce sidebar PR polling per-repo

Using git revert (not git reset --hard) to keep these.

Follow-up

Reopens:

• Umbrella: full passkey / WebAuthn / FIDO2 support in browser pane #2657 (passkey/WebAuthn umbrella)
• Browser panel: support passkeys / WebAuthn for 2FA #124
• Browser pane: support WebAuthn/Touch ID for enterprise SSO (Okta, etc.) #1056
• YubiKey authentication not working on pages that require it in the browser #1278

Re-landing passkeys should (a) be prototyped end-to-end against a signed nightly build before merge, (b) cut an RC nightly from the branch and confirm it launches on clean installs, and (c) only then merge to main.

Test plan

• CI green on the revert
• Trigger a fresh nightly after merge
• Verify the nightly launches on a clean install (no more passkey-broken codesign)

---

Note

Medium Risk
Adjusts macOS signing/entitlements in CI and build scripts; mistakes here can again produce unsigned/unlaunchable artifacts even though the change is largely a revert/simplification.

Overview
Reverts the passkey/WebAuthn stack from the embedded browser: removes AuthenticationServices-based passkey authorization prompting code, associated unit tests, and the Bluetooth usage description strings.

Drops the com.apple.developer.web-browser.public-key-credential entitlement and deletes cmux.embedded.entitlements, consolidating signing onto a single cmux.entitlements file.

Simplifies codesigning in nightly.yml, release.yml, and scripts/build-sign-upload.sh by removing the multi-pass nested signing logic and instead signing the app with codesign --deep; also removes the assert-passkey-entitlement.sh verification step and local reload signing helpers tied to passkey entitlements.

^{Reviewed by Cursor Bugbot for commit b90c41f. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

Summary by cubic

Reverts the passkey/WebAuthn stack and recent codesign changes to restore a launchable nightly build. Passkey code and entitlements are removed; signing is simplified to ensure builds run.

• Bug Fixes
  • Removed passkey logic from the browser and tests; dropped AuthenticationServices use.
  • Removed com.apple.developer.web-browser.public-key-credential entitlement, deleted cmux.embedded.entitlements, and removed the passkey entitlement assert script.
  • Deleted Bluetooth usage strings from Info.plist and localized xcstrings.
  • Simplified signing in nightly.yml, release.yml, and build-sign-upload.sh to a single cmux.entitlements with --deep signing; removed multi-pass nested signing steps.

^{Written for commit b90c41f. Summary will update on new commits.}

Summary by CodeRabbit

Release Notes

• Features Removed

  • Removed support for passkey authentication in the embedded browser.

• Chores

  • Removed Bluetooth permission requirement from app manifest.
  • Simplified application codesigning process and build scripts for consistency and streamlined deployment.
  • Removed related test cases and validation utilities.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cmux	Ready	Preview, Comment	Apr 7, 2026 10:41am

[cubic-dev-ai]

This review could not be run because your cubic account has exceeded the monthly review limit. If you need help restoring access, please contact contact@cubic.dev.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bebb9bab-0f10-4050-bd8d-8b0fde1016ca

📥 Commits

Reviewing files that changed from the base of the PR and between 2afa083 and b90c41f.

📒 Files selected for processing (12)

• .github/workflows/nightly.yml
• .github/workflows/release.yml
• Resources/Info.plist
• Resources/InfoPlist.xcstrings
• Sources/Panels/BrowserPanel.swift
• Sources/Panels/BrowserPopupWindowController.swift
• cmux.embedded.entitlements
• cmux.entitlements
• cmuxTests/BrowserConfigTests.swift
• scripts/assert-passkey-entitlement.sh
• scripts/build-sign-upload.sh
• scripts/reload.sh

---

📝 Walkthrough

Walkthrough

This pull request removes passkey and WebAuthn support from the macOS application. Changes include removing passkey authorization code from browser panels, deleting associated entitlements declarations, simplifying code-signing workflows from multi-pass to single deep-sign operations, and removing related tests and build verification scripts.

Changes

Cohort / File(s)	Summary
Build & Signing Infrastructure .github/workflows/nightly.yml, .github/workflows/release.yml, scripts/build-sign-upload.sh	Simplified macOS codesigning to use single --deep invocation with unified cmux.entitlements file, removing multi-pass nested-bundle signing logic and entitlements assertion script calls.
Application Code Sources/Panels/BrowserPanel.swift, Sources/Panels/BrowserPopupWindowController.swift	Removed passkey authorization manager implementation, AuthenticationServices import, and all navigation-delegate calls that triggered passkey authorization requests.
Entitlements & Resources cmux.entitlements, cmux.embedded.entitlements, Resources/Info.plist, Resources/InfoPlist.xcstrings	Deleted embedded entitlements file, removed web-browser public-key-credential entitlement, removed NSBluetoothAlwaysUsageDescription entries and their 18 localized string variants.
Build Scripts scripts/reload.sh, scripts/assert-passkey-entitlement.sh	Removed keychain identity resolution helper functions from reload script; deleted entire passkey entitlement verification script.
Tests cmuxTests/BrowserConfigTests.swift	Removed BrowserPasskeyAuthorizationSupportTests test class and all related passkey authorization logic tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add passkey, WebAuthn, and FIDO2 support to browser pane #2660: Directly reverses this PR's passkey/WebAuthn removals by re-adding the same feature across browser panels, entitlements, workflows, and tests.
• fix: remove restricted web-browser entitlement #1727: Modifies cmux.entitlements to remove web-browser related entitlements and adjusts signing behavior similarly.
• Publish separate universal nightly track #1067: Changes macOS build/signing workflows and entitlements application in build-sign-upload scripts.

Suggested labels

codex

Poem

🐰 The passkeys have hopped away today,
Bluetooth whispers bid farewell to stay,
One simple sign now rules the way,
Deep and clean—complexity at bay! ✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch revert-passkey-nightly-broken

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

Emergency git revert of the passkey/WebAuthn stack (#2660) and four follow-up codesign fix attempts (#2676–#2680) that left nightly builds unlaunchable. The revert cleanly removes all passkey artifacts: the com.apple.developer.web-browser.public-key-credential entitlement, cmux.embedded.entitlements, the multi-pass codesign scripts, scripts/assert-passkey-entitlement.sh, and all WebAuthn WKWebView delegate code — while preserving the five unrelated PRs that landed in between. Both nightly.yml and release.yml are restored to the simple pre-passkey codesign pattern (--deep with a single cmux.entitlements file) that was previously working.

Confidence Score: 5/5

This PR is safe to merge — it is a targeted revert of confirmed-broken code to restore a working nightly build.

All changes are direct reversions of code confirmed broken in production. The revert is complete (grep finds zero passkey references remaining), the codesign flow is restored to its pre-passkey working state, and no unrelated files are modified. No P0/P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/nightly.yml	Codesign step reverted to simple --deep signing; passkey entitlement, multi-pass signing logic, and assert-passkey-entitlement.sh call all removed
.github/workflows/release.yml	Codesign step reverted to simple --deep signing; consistent with pre-passkey state
cmux.entitlements	com.apple.developer.web-browser.public-key-credential entitlement removed; restored to 6-key pre-passkey state
cmux.embedded.entitlements	File deleted; split-entitlements pattern for embedded binaries fully removed
scripts/assert-passkey-entitlement.sh	Script deleted; no longer referenced by any workflow
Sources/Panels/BrowserPanel.swift	WebAuthn/FIDO2 WKWebView delegate methods and passkey plumbing removed
Sources/Panels/BrowserPopupWindowController.swift	Passkey-related popup handling reverted to pre-passkey state
scripts/build-sign-upload.sh	Codesign flow restored to pre-passkey simple --deep approach
Resources/Info.plist	Passkey-related plist keys removed; standard app metadata restored
cmuxTests/BrowserConfigTests.swift	Passkey/WebAuthn tests removed along with the reverted feature
scripts/reload.sh	Minor revert of passkey-related change
Resources/InfoPlist.xcstrings	Passkey localization strings removed

Sequence Diagram

sequenceDiagram
    participant CI as GitHub Actions
    participant XC as Xcode Build
    participant CS as codesign
    participant NT as notarytool
    CI->>XC: Build universal app (CODE_SIGNING_ALLOWED=NO)
    XC-->>CI: cmux NIGHTLY.app (unsigned)
    CI->>CS: Sign CLI binary (--entitlements cmux.entitlements)
    CI->>CS: Sign ghostty helper (--entitlements cmux.entitlements)
    CI->>CS: codesign --deep app bundle (cmux.entitlements)
    CS-->>CI: codesign --verify pass
    CI->>NT: notarytool submit (zip)
    NT-->>CI: status: Accepted
    CI->>CI: stapler staple + validate
    CI->>CI: create-dmg
    CI->>NT: notarytool submit (dmg)
    NT-->>CI: status: Accepted
    CI->>CI: Publish nightly release assets

Loading

_{Reviews (1): Last reviewed commit: "Revert "Add passkey, WebAuthn, and FIDO2..." | Re-trigger Greptile}