mirror of
https://github.com/NanmiCoder/cc-haha
synced 2026-07-16 13:03:31 +08:00
The local Apple Silicon packaging script produced app bundles that could fail strict bundle validation because the outer .app had no sealed resources. The fix shallow-signs only the copied canonical app bundle and checks that the claude-sidecar code-signature hash stays unchanged. Constraint: GitHub Actions release packaging must remain on the existing tauri-action path Constraint: macOS Keychain ACLs are sensitive to sidecar code-signature hashes Rejected: Set macOS signingIdentity in release CI | Tauri re-signs nested sidecars and can change Keychain caller identity Confidence: high Scope-risk: narrow Directive: Do not deep-sign claude-sidecar without proving existing Keychain ACLs still work after upgrade Tested: bash -n desktop/scripts/build-macos-arm64.sh Tested: SKIP_INSTALL=1 desktop/scripts/build-macos-arm64.sh Tested: codesign --verify --deep --strict --verbose=2 desktop/build-artifacts/macos-arm64/Claude\ Code\ Haha.app Tested: open -n desktop/build-artifacts/macos-arm64/Claude\ Code\ Haha.app and /health returned ok Not-tested: GitHub Actions release workflow, intentionally unchanged