fix(install): re-sign binary on macOS to avoid Gatekeeper delays

On macOS, downloaded binaries with ad-hoc signatures from other machines trigger Gatekeeper malware checks on every invocation, causing slowness. Re-signing with a local ad-hoc signature avoids this. Fixes #466 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-13 09:58:34 +11:00
parent 6b6d2dc4af
commit 0b400c754b
2 changed files with 61 additions and 0 deletions
--- a/npm-package/scripts/postinstall.js
+++ b/npm-package/scripts/postinstall.js
@@ -116,6 +116,30 @@ function extractTarGz(tarGzPath, destDir, binaryName) {
  }
 }

+// Re-sign binary for macOS to avoid slow Gatekeeper checks
+// See: https://github.com/steveyegge/beads/issues/466
+function resignForMacOS(binaryPath) {
+  if (os.platform() !== 'darwin') {
+    return;
+  }
+
+  console.log('Re-signing binary for macOS...');
+  try {
+    // Remove existing signature
+    try {
+      execSync(`codesign --remove-signature "${binaryPath}"`, { stdio: 'pipe' });
+    } catch (e) {
+      // Ignore errors - binary may not have a signature
+    }
+
+    // Add ad-hoc signature for this machine
+    execSync(`codesign --force --sign - "${binaryPath}"`, { stdio: 'pipe' });
+    console.log('✓ Binary re-signed for this machine');
+  } catch (err) {
+    console.warn('Warning: Failed to re-sign binary (non-fatal):', err.message);
+  }
+}
+
 // Extract zip file (for Windows)
 function extractZip(zipPath, destDir, binaryName) {
  console.log(`Extracting ${zipPath}...`);
@@ -176,6 +200,9 @@ async function install() {
      extractTarGz(archivePath, binDir, binaryName);
    }

+    // Re-sign for macOS to avoid Gatekeeper delays
+    resignForMacOS(binaryPath);
+
    // Clean up archive
    fs.unlinkSync(archivePath);