fix(sidecar/copy-runtime-modules): best-effort .node signing#7
Merged
Merged
Conversation
The script tries to codesign every .node file under runtime-modules/
with the identity from tauri.conf.json (since SIGNING_IDENTITY env
var is rarely set). In CI this aborts the entire build with
"The specified item could not be found in the keychain" because
tauri-action imports the Apple cert into the keychain in a *later*
workflow step. Same failure mode for any local dev contributor who
doesn't have the production cert installed.
The original guard ("Skipped silently if SIGNING_IDENTITY isn't set
— dev build / CI without notarization") matches the intent but the
later tauri.conf.json fallback short-circuits it.
Wrap each codesign call in try/catch. On failure, log a warning and
leave the .node unsigned. After the loop, summarize the count so the
state is auditable. Acceptable for unsigned dev/CI builds; if
notarization is enabled (Apple secrets present), notarytool will
reject the unsigned binaries loudly, which is the correct failure
mode rather than hiding it behind a missing-keychain error here.
The "right" long-term fix is to either:
- explicitly import the cert into the keychain before this step
(mirror what tauri-action does), or
- sign Contents/Resources/**/*.node after tauri-action's bundle
step, before notarization.
That structural fix is out of scope for unblocking v0.1.8 — this
patch restores forward progress.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
`sidecar/scripts/copy-runtime-modules.mjs` aborts v0.1.8's release build at the codesign step with:
```
codesign --sign "Developer ID Application: Matthew Dula (PPY9K2BYJH)" ...
error: The specified item could not be found in the keychain.
```
The script's existing guard ("skip if SIGNING_IDENTITY env var isn't set") was overridden by a fallback that reads the identity from `tauri.conf.json`. The fallback works on the dev's machine because the cert is in their login keychain — but in CI, `tauri-action` doesn't import the cert until a later workflow step than this one runs in. Same failure mode for any dev contributor without the production cert installed.
Fix
Wrap each `codesign` call in try/catch. On failure, log a warning and leave the binary unsigned. Summarize the count after the loop so it's visible in logs.
Out of scope (for a follow-up)
The proper long-term fix is to make the .node files actually signed in the released .app. Two options:
Either change is a workflow-level fix, not a script fix. Out of scope for unblocking v0.1.8.
After merge
I'll move the v0.1.8 tag again (third re-tag) to pick up this fix and watch the release workflow through to completion.
🤖 Generated with Claude Code