Skip to content

feat: add managed Secure Enclave commit signing#3363

Draft
robbie-c wants to merge 7 commits into
mainfrom
posthog-code/secure-enclave-signing
Draft

feat: add managed Secure Enclave commit signing#3363
robbie-c wants to merge 7 commits into
mainfrom
posthog-code/secure-enclave-signing

Conversation

@robbie-c

@robbie-c robbie-c commented Jul 11, 2026

Copy link
Copy Markdown
Member

Summary

  • add an opt-in macOS Secure Enclave signing broker and bundled ssh-keygen compatibility wrapper
  • add Settings → Commit signing to enable managed signing, display the generated public key, copy it, and open GitHub's SSH key settings
  • persist enablement, configure future local Claude/Codex sessions, and cleanly restore the prior Git/SSH environment when disabled
  • sign the native helper with APPLE_CODESIGN_IDENTITY in local builds and show a development-only local code-signing prerequisite when entitlements are unavailable
  • document setup, behavior, security boundaries, and migration from Secretive

Security boundary

  • pass the broker control secret over stdin instead of process arguments
  • accept control requests only from the workspace-server parent process using the Unix peer PID
  • authorize SSH signing only for registered agent processes and their descendants
  • stop newly spawned agents until registration completes, resume them on success or failure, and revoke access after process exit
  • retain one random broker-lifetime SSH socket path to avoid concurrent-session environment races

Test plan

  • pnpm --filter @posthog/workspace-server exec vitest run src/services/signing-access/service.test.ts src/services/agent/agent.test.ts (36 tests)
  • pnpm --filter @posthog/workspace-server typecheck
  • pnpm --filter @posthog/code typecheck
  • native helper compilation with the production framework flags
  • pnpm --filter @posthog/code compile
  • node scripts/check-host-boundaries.mjs
  • pre-commit pnpm typecheck

QA

  • found and fixed an immediate-exit race that could register a PID after its revoke request
  • found and fixed a failed-SIGSTOP path that could authorize an unstopped process
  • verified both cases with focused regression tests

Local development

  • Secure Enclave key persistence requires configured Apple code signing; ad-hoc signatures fail with OSStatus -34018

Notes

  • add the displayed public key to GitHub twice: as an Authentication Key and a Signing Key
  • remote skills downloads emit non-fatal offline warnings during local Electron builds when GitHub cannot be resolved

Created with PostHog Code

Generated-By: PostHog Code
Task-Id: b42c6dcc-392e-4b43-9629-a51626b50bfa
@trunk-io

trunk-io Bot commented Jul 11, 2026

Copy link
Copy Markdown

Merging to main in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

@github-actions

github-actions Bot commented Jul 11, 2026

Copy link
Copy Markdown

React Doctor found no issues in the changed files. 🎉

Reviewed by React Doctor for commit f0da6b0.

robbie-c added 6 commits July 11, 2026 12:52
Generated-By: PostHog Code
Task-Id: b42c6dcc-392e-4b43-9629-a51626b50bfa
Generated-By: PostHog Code
Task-Id: b42c6dcc-392e-4b43-9629-a51626b50bfa
Generated-By: PostHog Code
Task-Id: b42c6dcc-392e-4b43-9629-a51626b50bfa
Generated-By: PostHog Code
Task-Id: b42c6dcc-392e-4b43-9629-a51626b50bfa
Generated-By: PostHog Code
Task-Id: b42c6dcc-392e-4b43-9629-a51626b50bfa
Generated-By: PostHog Code
Task-Id: b42c6dcc-392e-4b43-9629-a51626b50bfa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant