fix(desktop): seal macOS release bundles#97
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 329e364dff
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| echo "release checkout is not clean" >&2 | ||
| exit 1 | ||
| fi | ||
| git -C "$repo" tag -v "$tag" >/dev/null 2>&1 || { |
There was a problem hiding this comment.
Pin the authorized release-tag signing key
When the maintainer keyring contains a public key belonging to any contributor or other unapproved signer, git tag -v succeeds for that key's cryptographically valid signature even if the key is not trusted for releases; its help only describes -v as “verify tags,” not authorize the signer. An attacker able to publish such a tag could therefore have arbitrary code signed with the Foundation Developer ID certificate. Check the verified signer's fingerprint against an explicit release-key allowlist before packaging.
Useful? React with 👍 / 👎.
Summary
connectTimeoutRoot cause
The v0.2.0 release workflow set
CSC_IDENTITY_AUTO_DISCOVERY=falseand never supplied a signing identity. Electron Builder therefore preserved Electron's linker/ad-hoc executable signatures but never created an outer app resource seal. The shipped app reported identifierElectron, no team, andSealed Resources=none; strict verification failed withcode has no resources but signature indicates they must be present.Proof
pnpm checkpnpm test:desktopshellcheck apps/desktop/scripts/package-macos-release.sh apps/desktop/scripts/verify-macos-app.sh apps/desktop/scripts/verify-macos-release.shactionlint .github/workflows/release.ymlchat.clickclack.desktopby TeamFWJYW4S8P8, hardened runtime enabled,Sealed Resources version=2codesign --verify --strict --deep --verbose=4 ClickClack.app: valid on disk and satisfies its designated requirementApple accepted both notarization uploads but the client received
HTTPClientError.connectTimeoutafter the mandated 10-minute wait and single retry; both submissions remained in progress at closeout. The pipeline correctly stopped before producing release archives. Consequently, localspctlreportssource=Unnotarized Developer IDuntil one of those existing submissions completes and a ticket can be stapled. No further submission was attempted.