fix: codesign darwin binaries and smoke-test on CI#68
Conversation
Build jobs now execute the produced binary with --version as a post-build step. This surfaces launch-time failures (such as a missing ad-hoc signature on darwin-arm64, which causes the kernel to SIGKILL the process) before they reach users. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
macOS 15 (the current GitHub Actions runner) still launches unsigned arm64 binaries, but macOS 26 (Tahoe) kills them with SIGKILL — so a plain --version smoke test won't catch the missing signature on CI even though it breaks every user on a current macOS. codesign --verify fails deterministically on any unsigned Mach-O regardless of the runner's enforcement posture, so the regression surfaces before shipping. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Use -vvv so the build log shows exactly what's wrong with the signature on failure, not just a non-zero exit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
bun 1.3.12 regressed the linker-embedded ad-hoc signature that 1.3.11 produced for 'bun build --compile' output on darwin. macOS 26 (Tahoe) refuses to launch unsigned arm64 binaries (SIGKILL on exec), so v1.3.0 shipped broken for every user on current macOS. Explicitly ad-hoc sign the darwin binaries with 'codesign --sign -' instead of depending on the toolchain, then verify with 'codesign --verify --strict' so a future regression fails the build. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bun 1.3.12 leaves signature bytes in the Mach-O that codesign cannot parse, so 'codesign --sign - --force' fails with 'invalid or unsupported format for signature'. Run --remove-signature first to clear the stub, then sign from scratch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 2171b14. Configure here.
| if: startsWith(matrix.target, 'darwin-') | ||
| run: | | ||
| codesign --remove-signature ./dist/mux-${{ matrix.target }} | ||
| codesign --sign - ./dist/mux-${{ matrix.target }} |
There was a problem hiding this comment.
Buggy --remove-signature used instead of documented --force
High Severity
The PR description states it "adds explicit codesign --sign - --force" but the implementation instead uses a two-step codesign --remove-signature followed by codesign --sign - (without --force). The --remove-signature flag is an undocumented macOS feature known to be buggy — it can corrupt binaries or fail randomly. The standard practice is a single codesign --sign - --force call, which atomically replaces any existing signature. Since this runs on release artifacts, a corrupted binary would ship broken builds to users.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 2171b14. Configure here.
There was a problem hiding this comment.
Cursor, I don't think you're right about this -- we first tried --force in this commit c914d6f
And that did not work
If anything, --force seems to be problematic -- at least for older versions of macos:
--remove-signature is documented. It's in the manual in man codesign. It also seems to be the preferred path instead of --force
We prove in the CI on this branch that signing works, we can verify the signing worked, and we can run the binary. The other path you suggest we tried, and CI failed.
So I think we have the best solution.
1 participant
Summary
bun build --compileon darwin-arm64 (1.3.11 producedadhoc,linker-signedMach-O; 1.3.12 produces no signature at all),This PR
codesign --signfor darwin targets so we don't depend on toolchain-implicit signing (follow-up commit, pushed after the first CI run)Test plan
Build (darwin-arm64)smoke-test step on the first commit🤖 Generated with Claude Code
Note
Low Risk
Workflow-only changes that affect build/release validation; main risk is CI/release failures if signing commands or runner environments behave differently across macOS targets.
Overview
Adds explicit ad-hoc codesigning for
darwin-*build outputs in bothci.ymlandrelease.ymlby stripping any existing signature and re-signing viacodesign --sign -.Adds a smoke test step to run
./dist/mux-<target> --versionfor every built target, and verifies macOS artifacts are properly codesigned withcodesign --verify --strictbefore uploading/releasing.Reviewed by Cursor Bugbot for commit 2171b14. Bugbot is set up for automated code reviews on this repo. Configure here.