Skip to content

🤖 Fix: macOS code signing with newline handling #80

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ammario merged 2 commits into from
Oct 7, 2025
Merged

🤖 Fix: macOS code signing with newline handling #80

ammario merged 2 commits into from
Oct 7, 2025

Conversation

@ammario
Copy link
Member

@ammario ammario commented Oct 7, 2025

Problem

The previous code signing attempts failed with:

security: SecKeychainItemImport: Unknown format in import.

Root Cause

The MACOS_CERTIFICATE secret contains 54 newlines (formatted at ~76 chars/line). When using the base64: prefix, electron-builder's internal base64 decoder couldn't handle the newlines properly.

Solution

Instead of relying on electron-builder's base64 decoder, we:

  1. Decode the certificate ourselves using base64 --decode (which handles newlines correctly)
  2. Write it to a temporary file
  3. Pass the file path to electron-builder via CSC_LINK

This approach:

  • ✅ Handles newlines in the base64 string correctly
  • ✅ Avoids electron-builder's internal decoder issues
  • ✅ Only sets CSC_LINK when the secret is available (graceful fallback for unsigned builds)

Testing

Successfully tested on the debug-cert-format branch with CSC_FOR_PULL_REQUEST=true:

• signing  file=release/mac/Cmux.app identity=BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
• signing  file=release/mac-arm64/Cmux.app identity=BDB050EB749EDD6A80C6F119BF1382ECA119CCCC

Both x64 and arm64 builds were successfully signed.

Generated with cmux

@ammario
Fix: macOS code signing by decoding certificate to file
85db586 
The MACOS_CERTIFICATE secret contains newlines which caused
electron-builder's internal base64 decoder to fail with:
'SecKeychainItemImport: Unknown format in import'

Solution: Decode the certificate ourselves and provide a file path
instead of using the base64: prefix. This approach:
- Handles newlines in the base64 string correctly
- Avoids electron-builder's internal decoder issues
- Only sets CSC_LINK when the secret is available

Tested successfully on debug-cert-format branch with both x64 and
arm64 builds being signed correctly.
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Oct 7, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

@ammario
Fix: Use BSD-compatible base64 flag for macOS
84f3775 
Changed base64 --decode to base64 -D for macOS BSD compatibility.
@ammario
Copy link
Member Author

ammario commented Oct 7, 2025

@codex review

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Oct 7, 2025

Codex Review: Didn't find any major issues. Delightful!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

@ammario ammario merged commit 523d693 into main Oct 7, 2025
6 of 7 checks passed
@ammario ammario deleted the fix-macos-signing-final branch October 7, 2025 19:28
ammario added a commit that referenced this pull request Oct 7, 2025
@ammario
🤖 Fix: Ignore Codex 'all clear' comments in CI check
0e8c978 
When Codex doesn't find any issues, it leaves a regular comment saying
"Didn't find any major issues. Delightful!" These comments should not
block PR merges since they indicate the code is good.

Before: All regular Codex comments blocked merge
After: Only actionable Codex comments block merge

Fixes issue where PR #80 was blocked despite Codex approval.

_Generated with `cmux`_
@ammario ammario mentioned this pull request Oct 7, 2025
Merged
ammario added a commit that referenced this pull request Oct 7, 2025
@ammario
🤖 Fix: Ignore Codex 'all clear' comments in CI check (#81)
d7d5c18 
## Problem

When Codex reviews a PR and doesn't find any issues, it leaves a regular
comment:

> Codex Review: Didn't find any major issues. Delightful!

The current `check_codex_comments.sh` script treats **all** regular
Codex comments as blocking, including these "all clear" messages. This
caused PR #80 to be blocked even though Codex approved it.

## Solution

Filter out Codex comments that contain "Didn't find any major issues" so
they don't block the merge.

## Testing

- ✅ PR #80 (has "Delightful" comment): Now passes
- ✅ PR #74 (has actual review comment): Still blocks correctly

## Changes

- Updated `scripts/check_codex_comments.sh` to use `jq` filter that
excludes "all clear" comments
- Only actionable Codex feedback will now block PRs

_Generated with `cmux`_
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ammario