Bugfix: Fix crash on launch after auto-update

vdavid · vdavid · commit d2923aff25c1 · 2026-03-15T21:03:05.000+01:00
The new, custom auto-updater was absolutely broken! Luckily, the fix was simple:

- `fs::copy` overwrites files in-place, keeping the same inode. macOS's kernel code signing cache is keyed by inode, so it validates the new binary's pages against the old binary's cached code directory → `SIGKILL (Code Signature Invalid)` before any app code runs.
- Fix: write to a temp file, then `rename()` into place. This creates a new inode, forcing the kernel to validate the code signature fresh.
- The admin-privilege path (`rsync -a`) already uses atomic rename by default, so only the direct-write path was affected.
diff --git a/apps/desktop/src-tauri/src/updater/CLAUDE.md b/apps/desktop/src-tauri/src/updater/CLAUDE.md
@@ -38,6 +38,12 @@ signatures use base64(minisign-text-format) encoding, matching Tauri's internal
 `do shell script ... with administrator privileges` shows the native macOS auth dialog. `rsync` is used because it
 expresses the full sync (copy + delete stale) in a single shell command.
 
+**Decision**: Atomic rename (write to temp file, then `rename()`) instead of in-place `fs::copy`.
+**Why**: `fs::copy` overwrites the destination in-place, keeping the same inode. macOS's kernel code signing cache
+keys on inode — it validates the new binary's pages against the old binary's cached code directory, causing
+`SIGKILL (Code Signature Invalid)` on launch. Atomic rename creates a new inode, forcing a fresh validation.
+The admin-privilege path (`rsync -a`) already uses atomic rename by default.
+
 ## Key patterns and gotchas
 
 - **macOS-only.** The module, command registrations, and `UpdateState` are all gated with `#[cfg(target_os = "macos")]`.
diff --git a/apps/desktop/src-tauri/src/updater/installer.rs b/apps/desktop/src-tauri/src/updater/installer.rs
@@ -165,13 +165,26 @@ fn sync_remaining(src_root: &Path, dest_root: &Path, all_src_paths: &HashSet<Pat
 }
 
 /// Copies a file, creating parent directories as needed.
+///
+/// Uses atomic rename (write to temp file, then rename) instead of in-place overwrite.
+/// This creates a new inode, which prevents macOS's kernel code signing cache from
+/// validating the new binary's pages against the old binary's cached code directory.
 fn copy_file_creating_dirs(src: &Path, dest: &Path) -> Result<(), String> {
     if let Some(parent) = dest.parent()
         && !parent.exists()
     {
         fs::create_dir_all(parent).map_err(|e| format!("Couldn't create dir {}: {e}", parent.display()))?;
     }
-    fs::copy(src, dest).map_err(|e| format!("Couldn't copy {} -> {}: {e}", src.display(), dest.display()))?;
+
+    // Write to a temp file in the same directory, then atomically rename.
+    // This ensures the destination gets a new inode, avoiding stale kernel code signing cache.
+    let temp = dest.with_extension("cmdr-update-tmp");
+    fs::copy(src, &temp).map_err(|e| format!("Couldn't copy {} -> {}: {e}", src.display(), temp.display()))?;
+    fs::rename(&temp, dest).map_err(|e| {
+        // Clean up temp file on rename failure
+        let _ = fs::remove_file(&temp);
+        format!("Couldn't rename {} -> {}: {e}", temp.display(), dest.display())
+    })?;
     Ok(())
 }
 
