From 81f2fa9f44a3fa267325a4cae82329f6511fc96d Mon Sep 17 00:00:00 2001
From: Will Tyler <will.tyler@gmail.com>
Date: Thu, 11 Jun 2026 08:38:02 -0400
Subject: [PATCH] fix(release): ad-hoc codesign macOS .app to stop "damaged"
 Gatekeeper error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Apple Silicon requires every executable to carry a valid code signature.
The macOS bundle shipped unsigned, so once a browser download applied the
com.apple.quarantine flag, Gatekeeper reported the app as "damaged — move
to Trash" and blocked the normal right-click -> Open bypass.

Ad-hoc sign the full bundle (codesign --force --deep --sign -) before
packaging, and verify the signature. This downgrades the failure to the
standard "unidentified developer" prompt, which users clear via
right-click -> Open. Full notarization (removes the prompt entirely,
requires a paid Apple Developer ID) remains deferred and tracked separately.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ff490ba..c1e6af9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -66,6 +66,14 @@ jobs:
             sed "s/@VERSION@/${version}/g" .github/macos/Info.plist > "$app/Contents/Info.plist"
             # Fail loudly if the executable name ever drifts from CFBundleExecutable.
             test -x "$app/Contents/MacOS/EftViewer.Desktop"
+            # Ad-hoc sign the whole bundle. Without a signature, Apple Silicon
+            # Gatekeeper treats a quarantined download as "damaged" and blocks
+            # even the right-click -> Open escape hatch. An ad-hoc signature
+            # downgrades that to the standard "unidentified developer" prompt,
+            # which users can clear with right-click -> Open. (Full notarization
+            # — the only way to remove the prompt entirely — is tracked separately.)
+            codesign --force --deep --sign - "$app"
+            codesign --verify --strict --verbose=2 "$app"
             # ditto preserves bundle structure/symlinks/resource forks; plain zip can mangle .app bundles.
             ditto -c -k --sequesterRsrc --keepParent "$app" "$archive"
           else