Update workflows for macOS 27.0#62
Merged
Merged
Conversation
On macOS 27 Golden Gate beta, the current ARM64 DMG can be copied locally but LaunchServices/codesign treats the app bundle as malformed because `Contents/Info.plist` does not declare the executable in `Contents/MacOS/libresprite`. Adding the key matches the actual bundle layout and lets the app be re-signed and launched normally. Adapted from LibreSprite#627 Closes #61
Member
Author
|
Ends in CODESIGN error when signed with GitHub workflow (possibly missing some essential updates to the |
- Removed `--timestamp` from all `codesign` calls — it's only valid for Developer ID signing, not ad-hoc (`-s -`); pairing them can produce a signature that dyld on macOS 27 rejects at page validation - Split dylib signing from executable signing — dylibs now get `codesign--force -s -` (no hardened runtime flags); the main executable and app bundle keep `--options=runtime` with the entitlements - Fixed `-neq` → `-ne` in the workflow's error check The `CS_RUNTIME` flag (set by `--options=runtime`) opts the process into the hardened runtime, which makes macOS 27's code signing monitor (`codeSigningMonitor: 2`) enforce kernel-level page hash validation on every loaded dylib. Ad-hoc signatures generated by GitHub's macOS 14/15 runners don't satisfy this validation on macOS 27. - Removed `--options=runtime` and the entitlements file entirely from all signing steps in both cmakeMacOs.yml and package_macos.sh. Without `CS_RUNTIME`, library validation is not kernel-enforced, so dylibs load freely regardless of their signature state. This also unblocks V8's JIT compiler as a side effect. Co-authored-by: Claude <noreply@anthropic.com>
Nidrax
force-pushed
the
claude/macos-golden-gate-workflow-update
branch
from
4da989a to
d751982
Compare
Member
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On macOS 27 Golden Gate beta, the current ARM64 DMG can be copied locally but LaunchServices/codesign treats the app bundle as malformed because
Contents/Info.plistdoes not declare the executable inContents/MacOS/libresprite. Adding the key matches the actual bundle layout and lets the app be re-signed and launched normally.Adapted from LibreSprite#627
Closes #61