fix(macos): resolve service installation issues and add Go binary signing

**Problem 1: Inconsistent developer names in Background Activity**
- Electron app signed as "Yaroslav Podieiapolskii"
- Go binaries (px, px-service) were unsigned
- Caused macOS to show different developer names in system dialogs

**Solution 1: Add Go binary code signing**
- Added "Sign Go Binaries" step in macOS workflow after Go builds
- Uses same CODESIGN_IDENTITY from GitHub secrets
- Signs both px and px-service with runtime hardening + timestamp
- Applies same entitlements as Electron app
- Now all binaries show consistent developer identity

**Problem 2: Conflicting success/error messages during installation**
- Electron invoked osascript with admin privileges
- Go code internally invoked osascript again (double elevation)
- Caused timeout/conflict but service still installed
- UI showed contradictory notifications

**Solution 2: Smart privilege detection in installer_darwin.go**
- Check if already running as root (os.Geteuid() == 0)
- If root: execute commands directly (cp, chmod, launchctl)
- If not root: use osascript for privilege elevation
- Applies to install/uninstall/start/stop functions
- Eliminates double osascript calls when launched via Electron

**Technical changes:**
- .github/workflows/release.yml: Added codesign step after Go builds
- src-service/installer_darwin.go: Added isRoot checks in all service functions

This resolves both the developer identity inconsistency and the
installation notification issues on macOS.

https://claude.ai/code/session_01U9NtT9hmX68VAbYp5x2Pi1

Author: claude

.github/workflows/release.yml

@@ -346,6 +346,32 @@ jobs:
           go mod download
           go build -ldflags "-s -w" -o px-service .
 
+      - name: Sign Go Binaries
+        run: |
+          echo "Signing Go binaries with identity: $CODESIGN_IDENTITY"
+
+          # Sign px binary
+          codesign --force \
+            --sign "$CODESIGN_IDENTITY" \
+            --options runtime \
+            --timestamp \
+            --entitlements build/entitlements.mac.plist \
+            src-go/px
+
+          # Sign px-service binary
+          codesign --force \
+            --sign "$CODESIGN_IDENTITY" \
+            --options runtime \
+            --timestamp \
+            --entitlements build/entitlements.mac.plist \
+            src-service/px-service
+
+          # Verify signatures
+          codesign --verify --verbose src-go/px
+          codesign --verify --verbose src-service/px-service
+
+          echo "Go binaries signed successfully"
+
       - name: Sync VERSION to package.json
         run: node build/sync-version.js
 

src-service/installer_darwin.go

@@ -100,13 +100,29 @@ func installServiceDarwin() error {
 
 	fmt.Printf("Created temporary plist file: %s\n", tmpPath)
 
-	// Копируем файл с привилегиями администратора
-	installScript := fmt.Sprintf("cp '%s' '%s' && chmod 644 '%s' && launchctl load '%s'",
-		tmpPath, plistPath, plistPath, plistPath)
+	// Проверяем запущены ли мы уже с правами root (через Electron osascript)
+	isRoot := os.Geteuid() == 0
 
-	fmt.Println("Requesting administrator privileges...")
-	if err := executeWithPrivilege(installScript); err != nil {
-		return fmt.Errorf("failed to install service: %w", err)
+	if isRoot {
+		// Уже root - выполняем команды напрямую
+		if err := exec.Command("cp", tmpPath, plistPath).Run(); err != nil {
+			return fmt.Errorf("failed to copy plist: %w", err)
+		}
+		if err := exec.Command("chmod", "644", plistPath).Run(); err != nil {
+			return fmt.Errorf("failed to chmod plist: %w", err)
+		}
+		if err := exec.Command("launchctl", "load", plistPath).Run(); err != nil {
+			return fmt.Errorf("failed to load service: %w", err)
+		}
+	} else {
+		// Не root - используем osascript для запроса прав
+		installScript := fmt.Sprintf("cp '%s' '%s' && chmod 644 '%s' && launchctl load '%s'",
+			tmpPath, plistPath, plistPath, plistPath)
+
+		fmt.Println("Requesting administrator privileges...")
+		if err := executeWithPrivilege(installScript); err != nil {
+			return fmt.Errorf("failed to install service: %w", err)
+		}
 	}
 
 	fmt.Printf("Installed and loaded service: %s\n", plistPath)
@@ -116,14 +132,26 @@ func installServiceDarwin() error {
 
 // uninstallServiceDarwin удаляет сервис на macOS
 func uninstallServiceDarwin() error {
-	fmt.Println("Requesting administrator privileges...")
+	isRoot := os.Geteuid() == 0
 
-	// Останавливаем и выгружаем сервис, затем удаляем plist файл
-	uninstallScript := fmt.Sprintf("launchctl unload '%s' 2>/dev/null || true && rm -f '%s'",
-		plistPath, plistPath)
+	if isRoot {
+		// Уже root - выполняем команды напрямую
+		// Останавливаем сервис (игнорируем ошибки)
+		exec.Command("launchctl", "unload", plistPath).Run()
 
-	if err := executeWithPrivilege(uninstallScript); err != nil {
-		return fmt.Errorf("failed to uninstall service: %w", err)
+		// Удаляем plist файл
+		if err := os.Remove(plistPath); err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("failed to remove plist: %w", err)
+		}
+	} else {
+		// Не root - используем osascript
+		fmt.Println("Requesting administrator privileges...")
+		uninstallScript := fmt.Sprintf("launchctl unload '%s' 2>/dev/null || true && rm -f '%s'",
+			plistPath, plistPath)
+
+		if err := executeWithPrivilege(uninstallScript); err != nil {
+			return fmt.Errorf("failed to uninstall service: %w", err)
+		}
 	}
 
 	fmt.Printf("Uninstalled service: %s\n", plistPath)
@@ -133,25 +161,43 @@ func uninstallServiceDarwin() error {
 
 // startServiceDarwin запускает сервис на macOS
 func startServiceDarwin() error {
-	fmt.Println("Requesting administrator privileges...")
+	isRoot := os.Geteuid() == 0
 
-	startScript := fmt.Sprintf("launchctl load '%s'", plistPath)
+	if isRoot {
+		// Уже root - выполняем команду напрямую
+		if err := exec.Command("launchctl", "load", plistPath).Run(); err != nil {
+			return fmt.Errorf("failed to start service: %w", err)
+		}
+	} else {
+		// Не root - используем osascript
+		fmt.Println("Requesting administrator privileges...")
+		startScript := fmt.Sprintf("launchctl load '%s'", plistPath)
 
-	if err := executeWithPrivilege(startScript); err != nil {
-		return fmt.Errorf("failed to start service: %w", err)
+		if err := executeWithPrivilege(startScript); err != nil {
+			return fmt.Errorf("failed to start service: %w", err)
+		}
 	}
 
 	return nil
 }
 
 // stopServiceDarwin останавливает сервис на macOS
 func stopServiceDarwin() error {
-	fmt.Println("Requesting administrator privileges...")
+	isRoot := os.Geteuid() == 0
 
-	stopScript := fmt.Sprintf("launchctl unload '%s'", plistPath)
+	if isRoot {
+		// Уже root - выполняем команду напрямую
+		if err := exec.Command("launchctl", "unload", plistPath).Run(); err != nil {
+			return fmt.Errorf("failed to stop service: %w", err)
+		}
+	} else {
+		// Не root - используем osascript
+		fmt.Println("Requesting administrator privileges...")
+		stopScript := fmt.Sprintf("launchctl unload '%s'", plistPath)
 
-	if err := executeWithPrivilege(stopScript); err != nil {
-		return fmt.Errorf("failed to stop service: %w", err)
+		if err := executeWithPrivilege(stopScript); err != nil {
+			return fmt.Errorf("failed to stop service: %w", err)
+		}
 	}
 
 	return nil