Background
Follows #207. The jr auth refresh command added in #209 is a user-facing recovery for the legacy-Keychain ACL / partition-list invalidation that occurs on every binary upgrade on macOS. The true root-cause fix is a stable code-signing identity.
Why ad-hoc codesign is not enough
Validated during #207 design (Apple TN2206): codesign -s - produces a cdhash that is a byte-hash of the binary. Every rebuild produces a different cdhash, so the legacy Keychain's trusted-application ACL and partition ID list still invalidate on upgrade. Only a Developer ID signature (stable teamid: in the partition list) survives rebuilds.
Scope
Update .github/workflows/release.yml to:
- Import the Developer ID Application certificate from an encrypted repo secret.
- Run
codesign --sign "Developer ID Application: ..." --options runtime jr after build on macOS targets (x86_64-apple-darwin, aarch64-apple-darwin).
- Submit for notarization via
xcrun notarytool submit --wait.
- Staple the notarization ticket with
xcrun stapler staple jr.
- Verify with
spctl --assess --type execute --verbose=4 jr.
Requirements
- Apple Developer Program membership ($99/yr) for the Developer ID Application certificate.
- CI secrets: signing certificate, keychain password, Apple ID app-specific password (or notarytool API key).
Outcome
Once shipped, jr auth refresh becomes unnecessary for standard upgrades. The stable teamid: in the Keychain partition list matches across all rebuilds, so the new binary passes the partition check silently and the user never sees an "allow access" prompt on brew upgrade.
Labels
`enhancement`, `macOS`, `blocked-on-budget`
Background
Follows #207. The
jr auth refreshcommand added in #209 is a user-facing recovery for the legacy-Keychain ACL / partition-list invalidation that occurs on every binary upgrade on macOS. The true root-cause fix is a stable code-signing identity.Why ad-hoc codesign is not enough
Validated during #207 design (Apple TN2206):
codesign -s -produces acdhashthat is a byte-hash of the binary. Every rebuild produces a different cdhash, so the legacy Keychain's trusted-application ACL and partition ID list still invalidate on upgrade. Only a Developer ID signature (stableteamid:in the partition list) survives rebuilds.Scope
Update
.github/workflows/release.ymlto:codesign --sign "Developer ID Application: ..." --options runtime jrafter build on macOS targets (x86_64-apple-darwin, aarch64-apple-darwin).xcrun notarytool submit --wait.xcrun stapler staple jr.spctl --assess --type execute --verbose=4 jr.Requirements
Outcome
Once shipped,
jr auth refreshbecomes unnecessary for standard upgrades. The stableteamid:in the Keychain partition list matches across all rebuilds, so the new binary passes the partition check silently and the user never sees an "allow access" prompt onbrew upgrade.Labels
`enhancement`, `macOS`, `blocked-on-budget`