chore: dump to version v1.0.22

Author: moonrailgun

branding/mac/dao.entitlements

@@ -44,15 +44,19 @@
     <true/>
 
     <!-- Touch ID / platform authenticator (WebAuthn passkeys). The Chromium
-         Touch ID context stores credentials in a keychain access group derived
-         at runtime as <TeamID>.<CFBundleIdentifier>.webauthn; without this
-         entitlement it logs "Touch ID authenticator unavailable" on every
-         WebAuthn capability probe and falls back to other authenticators.
-         codesign substitutes $(AppIdentifierPrefix) -> "<TeamID>." and
-         $(CFBundleIdentifier) from the bundle's Info.plist at sign time, so
-         this works for both release (com.msgbyte.dao) and debug-suffixed
-         (com.msgbyte.dao.debug) builds with a real Developer ID signature. -->
-    <key>keychain-access-group</key>
+         Touch ID context stores credentials in a keychain access group of the
+         form <TeamID>.<CFBundleIdentifier>.webauthn; without this entitlement
+         it logs "Touch ID authenticator unavailable" on every WebAuthn
+         capability probe and falls back to other authenticators.
+         The values below use Xcode-style placeholders for AppIdentifierPrefix
+         and CFBundleIdentifier. macOS codesign does NOT expand them;
+         package.ts renders this template into a tmp file (substituting the
+         real Team ID and the debug-vs-release bundle id) before passing it
+         to `codesign --entitlements`. Leaving an unexpanded placeholder in
+         the signed entitlements makes taskgated reject the signature with
+         "Code Signature Invalid" at launch — package.ts has a self-check
+         that fails the build if any placeholder slips through. -->
+    <key>keychain-access-groups</key>
     <array>
         <string>$(AppIdentifierPrefix)$(CFBundleIdentifier).webauthn</string>
     </array>

dao.json

@@ -4,7 +4,7 @@
   "version": {
     "product": "chromium",
     "version": "147.0.7727.135",
-    "display": "1.0.21"
+    "display": "1.0.22"
   },
   "build": {
     "target_os": "mac",

scripts/commands/package.ts

@@ -12,6 +12,8 @@ import {
   openSync,
   readSync,
   closeSync,
+  readFileSync,
+  writeFileSync,
 } from "node:fs";
 import os from "node:os";
 import path from "node:path";
@@ -382,18 +384,116 @@ function signAppBundle(appBundle: string, identity: string): void {
 
   log(`Signing ${path.basename(appBundle)} with identity: ${identity}`);
 
-  const items = collectSignables(appBundle);
-  // Sort by depth descending so children sign before parents.
-  items.sort((a, b) => depth(b) - depth(a));
+  // codesign does not expand $(AppIdentifierPrefix) / $(CFBundleIdentifier)
+  // — those are Xcode build-phase substitutions. Render the templates here
+  // so the signed entitlements contain fully-qualified literals; an
+  // unexpanded placeholder would make taskgated reject the signature with
+  // "Code Signature Invalid" at launch.
+  const teamId = extractTeamId(identity);
+  const bundleId = readBundleIdentifier(appBundle);
+  const renderDir = mkdtempSync(path.join(os.tmpdir(), "dao-entitlements-"));
+  const mainRendered = renderEntitlements(
+    ENTITLEMENTS,
+    renderDir,
+    "dao.entitlements",
+    teamId,
+    bundleId
+  );
+  const helperRendered = renderEntitlements(
+    HELPER_ENTITLEMENTS,
+    renderDir,
+    "dao_helper.entitlements",
+    teamId,
+    bundleId
+  );
 
-  for (const item of items) {
-    const ent = isAppBundle(item) ? HELPER_ENTITLEMENTS : null;
-    signOne(item, identity, ent);
+  try {
+    const items = collectSignables(appBundle);
+    // Sort by depth descending so children sign before parents.
+    items.sort((a, b) => depth(b) - depth(a));
+
+    for (const item of items) {
+      const ent = isAppBundle(item) ? helperRendered : null;
+      signOne(item, identity, ent);
+    }
+
+    // Outer app last.
+    signOne(appBundle, identity, mainRendered);
+    success("App bundle signed");
+  } finally {
+    rmSync(renderDir, { recursive: true, force: true });
   }
+}
 
-  // Outer app last.
-  signOne(appBundle, identity, ENTITLEMENTS);
-  success("App bundle signed");
+// Pull the 10-char Team ID out of "Developer ID Application: Foo Bar (TEAMID1234)".
+function extractTeamId(identity: string): string {
+  const m = identity.match(/\(([A-Z0-9]{10})\)\s*$/);
+  if (!m) {
+    error(
+      `Could not extract Team ID from DAO_SIGN_IDENTITY: "${identity}".\n` +
+        '  Expected format: "Developer ID Application: <Name> (TEAMID1234)"'
+    );
+    process.exit(1);
+  }
+  return m[1];
+}
+
+function readBundleIdentifier(appBundle: string): string {
+  const infoPlist = path.join(appBundle, "Contents", "Info.plist");
+  if (!existsSync(infoPlist)) {
+    error(`Info.plist not found inside app bundle: ${infoPlist}`);
+    process.exit(1);
+  }
+  // `defaults read` strips the .plist suffix and prints the raw value.
+  const out = run(
+    `defaults read "${infoPlist.replace(/\.plist$/, "")}" CFBundleIdentifier`,
+    { silent: true }
+  ).trim();
+  if (!out) {
+    error(`CFBundleIdentifier is empty in ${infoPlist}`);
+    process.exit(1);
+  }
+  return out;
+}
+
+// Render an entitlements template by substituting Xcode-style placeholders,
+// then assert no `$(...)` remain. Any survivor would be silently signed into
+// the binary and rejected at launch by taskgated.
+//
+// Also strips XML comments before writing: codesign's AMFI parser is stricter
+// than plutil and rejects some perfectly valid UTF-8 inside <!-- ... -->
+// (em dashes, backticks, etc.) with "AMFIUnserializeXML: syntax error".
+// Comments are only useful for humans reading the source template anyway —
+// no need to ship them into the signature.
+function renderEntitlements(
+  templatePath: string,
+  outDir: string,
+  outName: string,
+  teamId: string,
+  bundleId: string
+): string {
+  const src = readFileSync(templatePath, "utf8");
+  const stripped = src.replace(/<!--[\s\S]*?-->/g, "");
+  const rendered = stripped
+    // $(AppIdentifierPrefix) expands to "<TeamID>." (trailing dot — that's
+    // how Xcode's expansion works, since downstream values concatenate
+    // "$(AppIdentifierPrefix)$(CFBundleIdentifier)" without a separator).
+    .replace(/\$\(AppIdentifierPrefix\)/g, `${teamId}.`)
+    .replace(/\$\(CFBundleIdentifier\)/g, bundleId);
+
+  const leftover = rendered.match(/\$\([^)]+\)/);
+  if (leftover) {
+    error(
+      `Unexpanded placeholder ${leftover[0]} in ${path.basename(templatePath)}.\n` +
+        "  Add it to renderEntitlements() in scripts/commands/package.ts,\n" +
+        "  or replace it with a literal value in the entitlements file."
+    );
+    process.exit(1);
+  }
+
+  const outPath = path.join(outDir, outName);
+  writeFileSync(outPath, rendered);
+  return outPath;
 }
 
 function collectSignables(root: string): string[] {
@@ -510,6 +610,23 @@ function verifyCodesign(appBundle: string): void {
   run(`codesign --verify --strict --deep --verbose=2 "${appBundle}"`, {
     silent: false,
   });
+  // Last-line-of-defence: inspect the entitlements that actually got signed
+  // into the bundle. Any `$(...)` survivor here means a placeholder slipped
+  // past renderEntitlements, and taskgated will SIGKILL the app at launch
+  // with "Code Signature Invalid".
+  const embedded = run(
+    `codesign -d --entitlements - --xml "${appBundle}"`,
+    { silent: true }
+  );
+  const leftover = embedded.match(/\$\([^)]+\)/);
+  if (leftover) {
+    error(
+      `Signed entitlements still contain unexpanded ${leftover[0]}.\n` +
+        "  This will cause taskgated to reject the signature at launch.\n" +
+        "  Fix: handle the placeholder in renderEntitlements()."
+    );
+    process.exit(1);
+  }
   success("Signature verified");
 }
 

scripts/commands/release.ts

@@ -26,6 +26,10 @@ interface ReleaseOptions {
   skipUpload?: boolean;
   skipBuild?: boolean;
   skipBump?: boolean;
+  // Default true. Set to false via --no-force-import to call
+  // `cli.ts import` without --force, e.g. when iterating on a release
+  // failure and you've already reset engine/src yourself.
+  forceImport?: boolean;
   // Resume from staple: dmg has already been notarized externally
   // (e.g. you ran `xcrun stapler staple dist/...dmg` yourself), and
   // we just need to finish appcast + copy + upload.
@@ -69,6 +73,12 @@ export const releaseCommand = new Command("release")
   .option("-p, --prefix <prefix>", "R2 key prefix for the .dmg", "")
   .option("--skip-upload", "Skip the R2 upload step (still produces artifacts)")
   .option("--skip-build", "Skip import + build (use existing dist/ artifact)")
+  .option(
+    "--no-force-import",
+    "Run `cli.ts import` without --force (default: forced). " +
+      "Use this when engine/src is already in a known-good state and you " +
+      "don't want the import step to reset local edits."
+  )
   .option(
     "--skip-bump",
     "Use the version already in dao.json instead of bumping " +
@@ -280,11 +290,14 @@ export const releaseCommand = new Command("release")
     // ------------------------------------------------------------------
     const skipBuildPhase = opts.skipBuild || opts.resumeFromStaple;
     if (!skipBuildPhase) {
+      const forceImport = opts.forceImport !== false;
+      const importArgs = ["tsx", "scripts/cli.ts", "import"];
+      if (forceImport) importArgs.push("--force");
       await runStep(
         opts.dryRun,
-        "Importing patches (force)",
+        forceImport ? "Importing patches (force)" : "Importing patches",
         "npx",
-        ["tsx", "scripts/cli.ts", "import", "--force"]
+        importArgs
       );
 
       await runStep(opts.dryRun, "Building (release)", "npx", [

website/public/appcast.xml

@@ -54,6 +54,30 @@
         type="application/octet-stream" />
     </item>
     -->
+        <item>
+            <title>1.0.22.0</title>
+            <pubDate>Sun, 24 May 2026 18:04:37 +0800</pubDate>
+            <sparkle:version>22.0</sparkle:version>
+            <sparkle:shortVersionString>1.0.22.0</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>12.0</sparkle:minimumSystemVersion>
+            <enclosure url="https://dao-release.msgbyte.com/dao-browser-1.0.22-mac-arm64.dmg" length="153929567" type="application/octet-stream" sparkle:edSignature="vcpeDS9KEI3m6vDXiVv7pZABiZ+NhUG9IujhwJocEs5BW7TW8CMu9a3fZWlefuDG96j5TdohHQmc95vJNz9UCw=="/>
+            <sparkle:deltas>
+                <enclosure url="https://dao-release.msgbyte.com/Dao22.0-21.0.delta" sparkle:deltaFrom="21.0" length="66490" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="HnoxxaFeMP8K7clBagGWV+YcYyXqHjQxoEXpvN0j7bU1+OWHcWWQBQFL8YvenJwEu53i1ETxQ4OP5xecUv65DA=="/>
+                <enclosure url="https://dao-release.msgbyte.com/Dao22.0-20.0.delta" sparkle:deltaFrom="20.0" length="2731798" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="3hPRcyyZBPL0UPzWtdDgotpmMMeLFCnP844NffLGNn9babkzg5ZuM893WCXU8iGGnsHLQRF90TtEq5h+A0+uBg=="/>
+                <enclosure url="https://dao-release.msgbyte.com/Dao22.0-19.0.delta" sparkle:deltaFrom="19.0" length="7300194" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="YFcyfa5i8XMw5UWqWuY9lmaJf7eCAe01UYGhpXzsRkjQA8RtCiildC4u/1BkwLrpwY+a8M0o1RxuiZqXNJL9CQ=="/>
+                <enclosure url="https://dao-release.msgbyte.com/Dao22.0-17.0.delta" sparkle:deltaFrom="17.0" length="7298986" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="Ce5hTEFrVWINdPSVMxe7owVC69NaNExcwrL1RK97dgzcfTEQD0BhFSxKlu9sVljiOjUkS5GzLrlfe70rYkvMAQ=="/>
+                <enclosure url="https://dao-release.msgbyte.com/Dao22.0-16.0.delta" sparkle:deltaFrom="16.0" length="7581166" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="047uNWAZ2kFqyhorZNEWl5VJser03vnPGEXAVqzquM/Cd9JIFsRAkq6VwF0NdIYDWlIOQzC7QYZIeGV6trjLAg=="/>
+            </sparkle:deltas>
+            <dao:gitCommit>55383d1d020efb05836a8d0622487d0a8ca3f8bc</dao:gitCommit>
+        </item>
+        <item>
+            <title>1.0.21.0</title>
+            <pubDate>Sat, 23 May 2026 10:46:05 +0800</pubDate>
+            <sparkle:version>21.0</sparkle:version>
+            <sparkle:shortVersionString>1.0.21.0</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>12.0</sparkle:minimumSystemVersion>
+            <enclosure url="https://dao-release.msgbyte.com/dao-browser-1.0.21-mac-arm64.dmg" length="153930494" type="application/octet-stream" sparkle:edSignature="dQppEhrj/nb9wtrGXkS5ABFpLeG+nUKTqeouc/Jb6LTRhmyJFpAR/UfedEWLEiB1OMFX/S1uJaGh4qy8UZ3dAQ=="/>
+        </item>
         <item>
             <title>1.0.20.0</title>
             <pubDate>Fri, 22 May 2026 04:27:46 +0800</pubDate>
@@ -70,21 +94,5 @@
             </sparkle:deltas>
             <dao:gitCommit>3a0e6fa5ed3c5cf4015a77d0f00436ef0b26875a</dao:gitCommit>
         </item>
-        <item>
-            <title>1.0.19.0</title>
-            <pubDate>Thu, 21 May 2026 03:07:32 +0800</pubDate>
-            <sparkle:version>19.0</sparkle:version>
-            <sparkle:shortVersionString>1.0.19.0</sparkle:shortVersionString>
-            <sparkle:minimumSystemVersion>12.0</sparkle:minimumSystemVersion>
-            <enclosure url="https://dao-release.msgbyte.com/dao-browser-1.0.19-mac-arm64.dmg" length="154004609" type="application/octet-stream" sparkle:edSignature="rgw8FR84MmDe305sFRqnkY6zAVi927Au667Gp8StfygzwUT4cDsxKM1k4Tq1WfzXB13x915ngP+HvUqbkE6pCw=="/>
-            <sparkle:deltas>
-                <enclosure url="https://dao-release.msgbyte.com/Dao19.0-17.0.delta" sparkle:deltaFrom="17.0" length="2820974" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="6cmzta4v8pm5ZbJ23IT6IZI5MRj/gImBMU9awhep1x12rYD2O/jSc4VMizK84GTutAHZplJdOdMlA5wuGNtzCQ=="/>
-                <enclosure url="https://dao-release.msgbyte.com/Dao19.0-16.0.delta" sparkle:deltaFrom="16.0" length="6413758" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="ZHlgm1tF2Os/4LMZHFZ8Y8jvu3tDBqvmnrtI8xWZcagKQfej+5qhmsj4hs+VmPgnpiQ8d1iOpIOB9nkaS7dXDg=="/>
-                <enclosure url="https://dao-release.msgbyte.com/Dao19.0-15.0.delta" sparkle:deltaFrom="15.0" length="6746018" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="Lm7E+6MTD2aDIpPyUjYKtrY27Iv6EwFvtXUASgA668LANTC5t+UQebpGCAeY+PLrfn+M/9u+w1SemczBg3l/DQ=="/>
-                <enclosure url="https://dao-release.msgbyte.com/Dao19.0-14.0.delta" sparkle:deltaFrom="14.0" length="6897794" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="zmX6IQ0MIbrHMpJiRQuwlkgmC2BTZy0EZ/3S5WO6f/f7wJDAWRWaGdHUTC5wkNmHvJjYkM90juOumscbl48gDQ=="/>
-                <enclosure url="https://dao-release.msgbyte.com/Dao19.0-13.0.delta" sparkle:deltaFrom="13.0" length="6955546" type="application/octet-stream" sparkle:deltaFromSparkleExecutableSize="862416" sparkle:deltaFromSparkleLocales="de,he,ar,el,ja,fa,en" sparkle:edSignature="vKX5jtqh8ElNgGboSclY5kIi0WFsRs5tW0HOCuNUGeD1j9QVbTam2h1JEKwM2XY8bJEKwi6JpFIuick2uVKGCA=="/>
-            </sparkle:deltas>
-            <dao:gitCommit>613286101c73e8d3a6618631f6d61d7f18aaf748</dao:gitCommit>
-        </item>
     </channel>
 </rss>

website/public/info.json

@@ -1,12 +1,12 @@
 {
   "$schema": "Update this file to publish a new release. The /download route reads this at runtime and redirects to the platform-specific URL. Static-export-friendly (no server needed).",
-  "version": "1.0.20",
+  "version": "1.0.22",
   "chromiumVersion": "147.0.7727.135",
-  "releasedAt": "2026-05-23",
+  "releasedAt": "2026-05-24",
   "platforms": {
     "macArm64": {
       "label": "macOS (Apple Silicon)",
-      "url": "https://dao-release.msgbyte.com/dao-browser-1.0.20-mac-arm64.dmg"
+      "url": "https://dao-release.msgbyte.com/dao-browser-1.0.22-mac-arm64.dmg"
     }
   },
   "default": "macArm64"