Skip to content

Commit 70631ef

Browse files
authored
fix(ci): verify the app inside the dmg, not the removed standalone .app (#49)
The #48 verify gate failed every macOS build (finalize removes the standalone .app, keeping only dmg/pkg). Verify the codesigned app inside the dmg instead. Locally dry-run verified rc=0.
1 parent 314bfd8 commit 70631ef

1 file changed

Lines changed: 18 additions & 9 deletions

File tree

.github/workflows/build.yml

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -170,19 +170,28 @@ jobs:
170170
fi
171171
npm run ${{ matrix.tauri_script }}
172172
173-
- name: Verify macOS .app is codesigned
173+
- name: Verify macOS .app inside dmg is codesigned
174174
if: runner.os == 'macOS'
175175
shell: bash
176176
run: |
177-
# Fail early if the bundle came out unsigned — an unsigned .app is
178-
# exactly what shows "is damaged" on Sequoia with no way to open.
179-
# Mirrors codex-app-transfer release.yml's codesign sanity check.
180-
app="$(find src-tauri/target dist -type d -name 'codex_switch.app' -print -quit 2>/dev/null)"
181-
if [[ -z "$app" ]]; then
182-
echo "::error::no codex_switch.app found to verify"; exit 1
177+
# Verify the app INSIDE the dmg — the release finalize step
178+
# (macos:artifacts:finalize:release) removes the standalone .app and
179+
# keeps only the dmg/pkg, so that's what users actually download. An
180+
# unsigned/mismatched bundle is exactly what shows "is damaged" on
181+
# Sequoia. Mirrors codex-app-transfer's codesign sanity check.
182+
dmg="$(find src-tauri/target dist -name '*.dmg' -print -quit 2>/dev/null)"
183+
if [[ -z "$dmg" ]]; then echo "::error::no dmg found to verify"; exit 1; fi
184+
echo "verifying app inside: $dmg"
185+
hdiutil attach "$dmg" -nobrowse -mountpoint /tmp/verify-dmg
186+
app="$(find /tmp/verify-dmg -maxdepth 2 -name '*.app' -print -quit)"
187+
rc=1
188+
if [[ -n "$app" ]]; then
189+
codesign --verify --deep --strict --verbose=2 "$app"; rc=$?
190+
else
191+
echo "::error::no .app inside dmg"
183192
fi
184-
echo "verifying codesign on: $app"
185-
codesign --verify --deep --strict --verbose=2 "$app"
193+
hdiutil detach /tmp/verify-dmg >/dev/null 2>&1 || true
194+
[[ $rc -eq 0 ]] || { echo "::error::dmg app failed codesign verify"; exit 1; }
186195
187196
- name: Upload artifacts
188197
uses: actions/upload-artifact@v4

0 commit comments

Comments
 (0)