From 99c3fc1128f150f8de7b3e2c94681200e7c8e4c5 Mon Sep 17 00:00:00 2001
From: Jake <mcinteerj@gmail.com>
Date: Sun, 4 Jan 2026 08:01:02 +1300
Subject: [PATCH] Scripts: Make ad-hoc fallback opt-in with stronger TCC
 warnings

---
 scripts/codesign-mac-app.sh | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/scripts/codesign-mac-app.sh b/scripts/codesign-mac-app.sh
index 1675695a1..c6310b795 100755
--- a/scripts/codesign-mac-app.sh
+++ b/scripts/codesign-mac-app.sh
@@ -57,8 +57,16 @@ select_identity() {
 
 if [ -z "$IDENTITY" ]; then
   if ! IDENTITY="$(select_identity)"; then
-    echo "WARN: No signing identity found. Falling back to ad-hoc signing (-)." >&2
-    IDENTITY="-"
+    if [[ "${ALLOW_ADHOC_SIGNING:-}" == "1" ]]; then
+      echo "WARN: No signing identity found. Falling back to ad-hoc signing (-)." >&2
+      echo "      !!! WARNING: Ad-hoc signed apps do NOT persist TCC permissions (Accessibility, etc) !!!" >&2
+      echo "      !!! You will need to re-grant permissions every time you restart the app.         !!!" >&2
+      IDENTITY="-"
+    else
+      echo "ERROR: No signing identity found. Set SIGN_IDENTITY to a valid codesigning certificate." >&2
+      echo "       Alternatively, set ALLOW_ADHOC_SIGNING=1 to fallback to ad-hoc signing (limitations apply)." >&2
+      exit 1
+    fi
   fi
 fi