Implement separate mesh binary + .msh installation for macOS #69
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements comprehensive signing and notarization workflow for rmmagent: - Core signing scripts (sign-macos.sh, notarize-macos.sh, build-pipeline-macos.sh) - App bundle creation with Info.plist template - Universal binary build script with optional signing integration - Development testing script template in scripts/templates-for-bin/ - Personal wrapper templates (gitignored in bin/) Key features: - Modular design: each script has single responsibility - Proper signing flow: build unsigned → create universal → sign all independently - Keychain profile for secure notarization credentials - Hardened Runtime and timestamping for long-term validity - Privilege separation (sudo for launchd, user for builds/signing) - Deploy path: /opt/tacticalagent/tacticalagent 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Replace single mesh binary download with tar.gz archive containing binary + .msh file - Extract archive and run: meshagent -install --copy-msh="1" --installPath=/opt/tacticalmesh - Remove macOS Ventura fix that renamed LaunchAgent plists (no longer needed) - Changes only affect macOS (darwin) platform; Windows unchanged Files changed: - agent/install.go: Download tar.gz, extract, install with --copy-msh flag - agent/svc.go: Remove FixVenturaMesh() auto-execution - main.go: Remove macventurafix CLI mode - Deleted: embed_darwin.go, embed_stub.go, macos_fix_mesh_install.sh 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Implement separate mesh binary + .msh installation for macOS tested and verified working. 2025.11.12
Removing deprecated macOS build pipeline scripts that are no longer needed. Files removed: - scripts/macos/Info.plist.template - scripts/macos/build-macos-universal.sh - scripts/macos/build-pipeline-macos.sh - scripts/macos/create-app-bundle.sh - scripts/macos/notarize-macos.sh - scripts/macos/sign-macos.sh - scripts/templates-for-bin/sign-and-notarize-rmmagent-template.sh 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
… agent Improves security and reliability of mesh agent installation by verifying checksums from SHA256SUMS file and dynamically discovering actual filenames instead of using hardcoded values. Also adds --no-embedded flag to mesh installation command and uses random extraction directories to prevent conflicts. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Replace single mesh binary download with tar.gz archive containing both mesh binary and .msh configuration file for macOS installations, with SHA256 verification for security.
This enables proper installation of a signed
meshagenton macOS using the--copy-mshflag instead of embedded configuration, preventing invalid code signatures and gatekeeper blocking.FixVenturaMesh()was removed, as it does not fix anything about the meshagent on macOS and actively breaks any fixes.Changes
Agent Installation (
agent/install.go)For macOS (darwin) only:
meshagentbinary andmeshagent.mshconfig filemeshagent -install --no-embedded="1" --copy-msh="1" --installPath=/opt/tacticalmeshWindows unchanged: Continues to use single binary download approach
Ventura Fix Removal
Removed the macOS Ventura workaround that renamed LaunchAgent plists, as it's no longer needed with proper .msh file usage:
agent/embed_darwin.go- Ventura fix implementationagent/embed_stub.go- Non-macOS stubagent/scripts/macos_fix_mesh_install.sh- Fix scriptmacventurafixCLI mode frommain.goFixVenturaMesh()call fromagent/svc.goService Cleanup (
agent/svc.go)Technical Details
Installation Flow:
trmm{random}.tar.gzto temp directorytrmm{random}_extracted_{random}/containingmeshagent{hash},meshagent{hash}.msh, andSHA256SUMSmeshagent{hash} -install --no-embedded="1" --copy-msh="1" --installPath=/opt/tacticalmeshSecurity Improvements:
Server-Side Changes Required:
This requires corresponding changes in the tacticalrmm server to deliver the tar.gz archive with SHA256SUMS. See: amidaware/tacticalrmm#2348
Files Changed
agent/install.go- Modified Darwin mesh installation logic with verification (+99 lines, -9 lines)agent/svc.go- Removed FixVenturaMesh() auto-execution (-4 lines)main.go- Removed macventurafix CLI mode (-2 lines)embed_darwin.go,embed_stub.go,macos_fix_mesh_install.sh(-143 lines)Net change: ~-60 lines (cleaner, more secure code)
Benefits
meshagent --copy-msh="1"install. The meshagent must not be named meshagent for--copy-msh="1"to succeed]Testing
Related PRs
🤖 Generated with Claude Code. Read, tested, and edited by a human — I promise.