fix(install): re-sign binary on macOS to avoid Gatekeeper delays

On macOS, downloaded binaries with ad-hoc signatures from other machines trigger Gatekeeper malware checks on every invocation, causing slowness. Re-signing with a local ad-hoc signature avoids this. Fixes #466 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-13 09:58:34 +11:00
parent 6b6d2dc4af
commit 0b400c754b
2 changed files with 61 additions and 0 deletions
--- a/npm-package/scripts/postinstall.js
+++ b/npm-package/scripts/postinstall.js
@@ -116,6 +116,30 @@ function extractTarGz(tarGzPath, destDir, binaryName) {
  }
 }

+// Re-sign binary for macOS to avoid slow Gatekeeper checks
+// See: https://github.com/steveyegge/beads/issues/466
+function resignForMacOS(binaryPath) {
+  if (os.platform() !== 'darwin') {
+    return;
+  }
+
+  console.log('Re-signing binary for macOS...');
+  try {
+    // Remove existing signature
+    try {
+      execSync(`codesign --remove-signature "${binaryPath}"`, { stdio: 'pipe' });
+    } catch (e) {
+      // Ignore errors - binary may not have a signature
+    }
+
+    // Add ad-hoc signature for this machine
+    execSync(`codesign --force --sign - "${binaryPath}"`, { stdio: 'pipe' });
+    console.log('✓ Binary re-signed for this machine');
+  } catch (err) {
+    console.warn('Warning: Failed to re-sign binary (non-fatal):', err.message);
+  }
+}
+
 // Extract zip file (for Windows)
 function extractZip(zipPath, destDir, binaryName) {
  console.log(`Extracting ${zipPath}...`);
@@ -176,6 +200,9 @@ async function install() {
      extractTarGz(archivePath, binDir, binaryName);
    }

+    // Re-sign for macOS to avoid Gatekeeper delays
+    resignForMacOS(binaryPath);
+
    // Clean up archive
    fs.unlinkSync(archivePath);

--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -34,6 +34,31 @@ log_error() {
    echo -e "${RED}Error:${NC} $1" >&2
 }

+# Re-sign binary for macOS to avoid slow Gatekeeper checks
+# See: https://github.com/steveyegge/beads/issues/466
+resign_for_macos() {
+    local binary_path=$1
+
+    # Only run on macOS
+    if [[ "$(uname -s)" != "Darwin" ]]; then
+        return 0
+    fi
+
+    # Check if codesign is available
+    if ! command -v codesign &> /dev/null; then
+        log_warning "codesign not found, skipping re-signing"
+        return 0
+    fi
+
+    log_info "Re-signing binary for macOS..."
+    codesign --remove-signature "$binary_path" 2>/dev/null || true
+    if codesign --force --sign - "$binary_path"; then
+        log_success "Binary re-signed for this machine"
+    else
+        log_warning "Failed to re-sign binary (non-fatal)"
+    fi
+}
+
 # Detect OS and architecture
 detect_platform() {
    local os arch
@@ -144,6 +169,9 @@ install_from_release() {
        sudo mv bd "$install_dir/"
    fi

+    # Re-sign for macOS to avoid Gatekeeper delays
+    resign_for_macos "$install_dir/bd"
+
    log_success "bd installed to $install_dir/bd"

    # Check if install_dir is in PATH
@@ -205,6 +233,9 @@ install_with_go() {
        fi
        LAST_INSTALL_PATH="$bin_dir/bd"

+        # Re-sign for macOS to avoid Gatekeeper delays
+        resign_for_macos "$bin_dir/bd"
+
        # Check if GOPATH/bin (or GOBIN) is in PATH
        if [[ ":$PATH:" != *":$bin_dir:"* ]]; then
            log_warning "$bin_dir is not in your PATH"
@@ -252,6 +283,9 @@ build_from_source() {
                sudo mv bd "$install_dir/"
            fi

+            # Re-sign for macOS to avoid Gatekeeper delays
+            resign_for_macos "$install_dir/bd"
+
            log_success "bd installed to $install_dir/bd"

            # Record where we installed the binary when building from source