Make Fulcio verification step non-fatal in codesign script

danielbodart · claude · danielbodart · commit adc0f711eeb3 · 2026-03-29T23:19:04.000+01:00
codesign -dvvv exits non-zero for Fulcio-signed binaries because the
Sigstore CA is not in Apple's trust store. This is expected and doesn't
affect TCC — add || true so set -e doesn't abort the CI pipeline.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/scripts/fulcio-codesign.sh b/scripts/fulcio-codesign.sh
@@ -346,7 +346,11 @@ security list-keychains -d user -s $ORIGINAL_KEYCHAINS
 
 echo ""
 echo "=== Verification ==="
-codesign -dvvv "$BINARY" 2>&1 | head -20
+# codesign -dvvv may return a non-zero exit for Fulcio-signed binaries
+# because the Sigstore CA is not in Apple's trust store. This is expected
+# and does not affect functionality — TCC reads the signing identity from
+# the CMS blob regardless of chain trust.
+codesign -dvvv "$BINARY" 2>&1 | head -20 || true
 echo ""
 echo "Entitlements:"
 codesign -d --entitlements - "$BINARY" 2>&1
