fix(webui): verify mac bundled uv via codesign instead of a post-codesign SHA pin#1926
Conversation
|
Update: the pin-refresh approach is insufficient. This PR's own dmg-structural-smoke run produced the ORIGINAL digest ( |
The BUNDLED_UV_SHA256["mac-arm64"] pin captured a post-codesign digest, but electron-builder ad-hoc-signs the bundled uv on every CI build (no Developer ID cert configured), and ad-hoc codesign output depends on the codesign/Xcode toolchain baked into the GitHub-hosted macos-latest runner image. That image floats between macos-15-arm64 and macos-26-arm64, producing two different digests for byte-identical source — confirmed across dmg-structural-smoke runs on PRs #1861, #1886, and #1926. A fixed pin is therefore not deterministic on macOS: it fails roughly half of CI runs, and a shipped DMG whose signing output mismatches the baked-in pin would hard-fail ensureUv() on a user's first launch. Replace the fixed digest with `codesign --verify --strict` in both ensureUv() (runtime) and the dmg-structural-smoke helper (CI), matching the check to what's actually deterministic: the signature's structural validity, not its exact bytes. Ad-hoc signatures pass this check; tampered or corrupted binaries still fail it, preserving the fail-loud guarantee. linux-x64/win-x64 keep their existing SHA256 pins, which are genuinely deterministic there (no post-build re-signing).
a6f8b47 to
f70a493
Compare
|
Verdict: Approve ✅ This swaps the mac-arm64 bundled- One thing to be aware of (the author already flagged it in the description, not a blocker): on macOS the warm cache in Nothing here needs to block the merge. 🔍 Technical detailsCorrectness — verified, no blocking issues
🟢 Minor (nits, non-blocking)
Strengths
|
The "DMG structural smoke" check fails on roughly half of CI runs — including Dependabot PRs #1861 and #1886 — and, worse, any shipped DMG built on the "other" runner image would hard-fail
ensureUv()on a user's first launch. Root cause:BUNDLED_UV_SHA256["mac-arm64"]pins the POST-codesign digest of the bundled uv, but every CI build ad-hoc-signs it (identity=-), and ad-hoc codesign output differs by the Xcode/codesign toolchain in the floatingmacos-latestimage. Observed bimodal digests on byte-identical source:macos-26-arm64images →7ad94b65…,macos-15-arm64→6099aa8c…. No fixed pin can survive an image rollover.This replaces the mac pin with
codesign --verify --strictin bothensureUv()(runtime: bundled resource, install, and warm-cache paths) and the dmg-structural-smoke helper — deterministic across runner images, still fail-loud with the same actionableInstallErroron corruption or tampering. linux-x64 / win-x64 keep their SHA256 pins (deterministic there — no post-build re-signing). Supply-chain integrity for the mac binary remains enforced at build time by the existing upstream-tarball SHA256 verification in build-installers.yml.Reviewer tradeoff to weigh:
codesign --verifyproves the binary is intact and validly signed, but unlike the old pin it does not tie the warm-cached copy in~/.gaia/binto the exact shipped bytes (a local attacker able to replace the file could re-sign ad-hoc). If that matters, a follow-up could record the install-time digest and re-verify it on cache reuse (TOFU) — kept out of scope here to fix the release-breaking nondeterminism first.Test plan
--verify --strict; byte-flipped binary fails with "invalid signature" (scratch harness against the realensureUv()code path — first-install, warm-cache reuse, and tamper/fail-loud paths all verified)node --checkon all touched files;tests/electronjest suite 626/627 (the 1 failure is the pre-existing title assertion, fixed separately in fix(tests): match chat-app title assertion to renamed Agent UI title #1927)