Skip to content

[MEDIUM] Add pre-notarize validation in release.yml — reject builds with App Sandbox enabled #53

Closed
#60
Closed
[MEDIUM] Add pre-notarize validation in release.yml — reject builds with App Sandbox enabled#53
#60
Labels
hardeningReliability or defense-in-depth improvementtech-debtEligible for automated overnight fixing
@matthewod11-stack

Description

@matthewod11-stack
matthewod11-stack
opened on Apr 17, 2026

Description

The v0.2.0/v0.2.1 sandbox bug went undetected because nothing in the release pipeline validates the `Entitlements.plist` configuration. Adding a simple grep-gate in the release workflow prevents this specific class of error from ever reaching production again.

Current State

  • `src-tauri/Entitlements.plist` is committed to the repo; CI builds with whatever it contains.
  • No validation step; the first signal of a bad config is customers filing "updater doesn't work" tickets.

Suggested Fix

  • Add a step to `.github/workflows/release.yml` that runs BEFORE `tauri-action` builds. Specifically:
    1. `grep -q "com.apple.security.app-sandbox" src-tauri/Entitlements.plist` → if found, fail the job with a clear error: "App Sandbox must not be enabled for Developer ID distribution — it breaks the auto-updater. See [CRITICAL] Verify auto-updater latest.json points at PeoplePartner repo, not HRCommand #18/ci: bump actions/checkout from 4 to 6 #41."
    2. Verify Hardened Runtime carve-outs (`cs.allow-jit`, `cs.allow-unsigned-executable-memory`, `cs.disable-library-validation`) are present — these are required for Tauri to notarize.
  • Consider expanding to a more general entitlements-lint script in `scripts/` that's run both in CI and as a pre-commit hook.

Verification

  • A test PR adding `com.apple.security.app-sandbox` to Entitlements.plist fails the release workflow's validation step with the expected error message.
  • A test PR removing one of the Hardened Runtime carve-outs fails with a clear error.
  • The workflow passes on current main.

Automation Hints

scope: .github/workflows/release.yml; optionally scripts/validate-entitlements.sh (new)
do-not-touch: Entitlements.plist itself, src-tauri/
approach: add-validation
risk: low
max-files-changed: 2
blocked-by: none
bail-if: the workflow already has such a step we missed

Priority

Medium — a tight build-time guard that would have prevented the v0.2.0/v0.2.1 sandbox incident entirely. Cheap insurance for every future release.

Metadata

Metadata

Assignees

No one assigned

    Labels

    hardeningReliability or defense-in-depth improvementtech-debtEligible for automated overnight fixing

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions