@@ -37,6 +37,7 @@ ARTIFACT_NAMES=(
3737MACOS_IDENTITY=" Developer ID Application: DiffPlug LLC (LXW8WAGWYX)"
3838MACOS_TEAM_ID=" LXW8WAGWYX"
3939APPLE_ID=" edgar.twigg@gmail.com"
40+ MACOS_NODE_ENTITLEMENTS=" $REPO_ROOT /standalone/src-tauri/entitlements-macos-node.plist"
4041
4142# Windows Signing (jsign with PIV)
4243JSIGN_ALIAS=" AUTHENTICATION"
@@ -380,19 +381,30 @@ sign_macos_app() {
380381 security find-identity -v -p codesigning | grep -q " $MACOS_IDENTITY "
381382 || error " Signing identity not found: $MACOS_IDENTITY "
382383
383- # Sign all nested binaries first (node-pty prebuilds, etc.)
384+ # Sign all nested binaries first (node sidecar, node -pty prebuilds, etc.)
384385 # --deep doesn't reliably reach into Resources subdirectories
385386 log " Signing nested binaries..."
386- find " $app_path " \( -name " *.node" " *.dylib" " spawn-helper" \) -type f | while read -r binary; do
387+ [[ -f " $MACOS_NODE_ENTITLEMENTS " || error " Node entitlements not found: $MACOS_NODE_ENTITLEMENTS "
388+
389+ find " $app_path /Contents/MacOS" " $app_path /Contents/Resources"
390+ \( -perm -111 -o -name " *.node" " *.dylib" " spawn-helper" \) | while read -r binary; do
387391 log " Signing: ${binary# " $app_path /" "
392+
393+ local entitlements_args=()
394+ if [[ " $binary " == " $app_path /Contents/MacOS/node" ; then
395+ entitlements_args=(--entitlements " $MACOS_NODE_ENTITLEMENTS "
396+ fi
397+
388398 codesign --force --sign " $MACOS_IDENTITY "
389399 --options runtime \
400+ " ${entitlements_args[@]} "
390401 --timestamp \
391402 " $binary "
392403 done
393404
394- # Sign the outer .app bundle
395- codesign --force --deep --sign " $MACOS_IDENTITY "
405+ # Sign the outer .app bundle after nested code. Do not use --deep here:
406+ # it would re-sign the Node sidecar and drop the entitlements it needs to run.
407+ codesign --force --sign " $MACOS_IDENTITY "
396408 --options runtime \
397409 --timestamp \
398410 " $app_path "
@@ -401,6 +413,23 @@ sign_macos_app() {
401413 codesign --verify --deep --strict --verbose=2 " $app_path "
402414 || error " Signature verification failed for $app_path "
403415
416+ local node_sidecar=" $app_path /Contents/MacOS/node"
417+ local sidecar_dir=" "
418+ for candidate in " $app_path /Contents/Resources/_up_/sidecar" " $app_path /Contents/Resources/sidecar" ; do
419+ if [[ -d " $candidate " ; then
420+ sidecar_dir=" $candidate "
421+ break
422+ fi
423+ done
424+
425+ [[ -x " $node_sidecar " || error " Node sidecar missing or not executable: $node_sidecar "
426+ [[ -n " $sidecar_dir " || error " Sidecar resources not found in $app_path "
427+
428+ " $node_sidecar " " process.version" > /dev/null \
429+ || error " Signed Node sidecar failed to launch"
430+ (cd " $sidecar_dir " && " $node_sidecar " " require('node-pty')"
431+ || error " Signed Node sidecar failed to load node-pty"
432+
404433 log " macOS signing complete ($arch_label )"
405434}
406435
0 commit comments