fix: fix codesigning bug

[JKFerland]

Summary

• Make adHocSignDarwin non-fatal when signing fails on a
  linker-signed binary

Why

• bun build --compile on macOS produces binaries with a
  CS_LINKER_SIGNED ad-hoc signature embedded by the linker
• On macOS 14+, codesign --remove-signature returns an "internal
  error in Code Signing subsystem" for these binaries — the kernel
  treats the linker signature as immutable
• The script already calls --remove-signature before --sign, but
  silently swallowed the removal failure, then crashed on the
  subsequent --force --sign - with "main executable failed strict
  validation"
• Since the binary is already validly ad-hoc signed by the linker
  (Signature=adhoc), it's runnable without re-signing

Issue

• Closes [Bug]: Can't run desktop app, experiencing Failed to codesign error #1618

Scope

• One-line change to adHocSignDarwin in prepare-sidecar.mjs
• Only affects the error condition: throw is now gated on
  remove.status === 0, meaning we only error if the binary was
  successfully unsigned and then signing failed — a real problem. If
  removal also failed, the binary had an immutable signature and is
  still valid.

Out of scope

• Doesn't change behavior for unsigned binaries (where --remove-signature succeeds), downloaded sidecars,
  or non-darwin platforms

Testing

Ran

• pnpm dev

Result

• pass/fail: pass
• if fail, exact files/errors: N/A

CI status

• pass: pending
• code-related failures: N/A
• external/env/auth blockers: N/A

Manual verification

• Applied the one-line guard and confirmed pnpm dev completes successfully

Evidence

• N/A

Risk

• Low. The guard change only suppresses the throw when the binary already carries a valid ad-hoc
  signature. A truly broken/unsigned binary (where --remove-signature exits 0) still throws.

Rollback

• Revert the && remove.status === 0 addition to line 269 of prepare-sidecar.mjs

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openwork-landing	Ready	Preview, Comment, Open in v0	Apr 30, 2026 3:00am

[vercel]

@JKFerland is attempting to deploy a commit to the Different AI Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

[src-opn]

@OmarMcAdam Security-focused review completed.

Security issue:

• apps/desktop/scripts/prepare-sidecar.mjs:269 now suppresses a failed codesign --force --sign - whenever the prior codesign --remove-signature exits non-zero. That does not prove the binary has an immutable linker-created ad-hoc signature; it also covers permission errors, malformed or corrupt signatures, file-system failures, and other unexpected codesign failures. Because this path prepares executable sidecars, silently accepting a binary that was neither successfully re-signed nor positively verified weakens the macOS sidecar integrity gate.
• Required fix: fail closed unless the script positively verifies the existing binary is already validly ad-hoc signed. For example, only bypass re-sign failure after checking the specific immutable-linker-signature condition and/or running codesign --verify plus inspecting the signature metadata. Otherwise keep throwing.

Checks performed:

• Pulled PR 1619 into a dedicated local worktree.
• Reviewed PR metadata: description includes summary, rationale, scope, testing notes, and closes #1618.
• Scanned the changed diff for hidden Unicode/control characters and malformed whitespace: git diff --check, non-ASCII enumeration, control-character scan, and ASCII transliteration comparison all passed.
• Reviewed the changed code path in context.
• Ran pnpm install --frozen-lockfile: passed.
• Ran pnpm --filter @openwork/desktop prepare:sidecar: passed.
• Ran pnpm --filter @openwork/desktop check:electron: passed.
• Ran pnpm --filter @openwork/desktop build: passed.

Requesting changes until the code verifies the existing signature before suppressing the signing failure.