Merge pull request #580 from jeffersonwarrior/fix/restart-mac-signing-auto-detection

feat: add auto-signing detection to restart-mac.sh

CHANGELOG.md

@@ -37,6 +37,7 @@
 - Gateway/Control UI: make `chat.send` non-blocking, wire Stop to `chat.abort`, and treat `/stop` as an out-of-band abort. (#653)
 - Gateway/Control UI: allow `chat.abort` without `runId` (abort active runs), suppress post-abort chat streaming, and prune stuck chat runs. (#653)
 - Gateway/Control UI: sniff image attachments for chat.send, drop non-images, and log mismatches. (#670) — thanks @cristip73.
+- macOS: force `restart-mac.sh --sign` to require identities and keep bundled Node signed for relay verification. (#580) — thanks @jeffersonwarrior.
 - Gateway/Agent: accept image attachments on `agent` (multimodal message) and add live gateway image probe (`CLAWDBOT_LIVE_GATEWAY_IMAGE_PROBE=1`).
 - CLI: `clawdbot sessions` now includes `elev:*` + `usage:*` flags in the table output.
 - CLI/Pairing: accept positional provider for `pairing list|approve` (npm-run compatible); update docs/bot hints.

scripts/package-mac-app.sh

@@ -294,7 +294,7 @@ package_relay_node() {
     cp "$relay_node_build_dir/node-${BUILD_ARCHS[0]}" "$relay_node"
   fi
   chmod +x "$relay_node"
-  if [[ "${STRIP_NODE:-1}" == "1" ]]; then
+  if [[ "${STRIP_NODE:-0}" == "1" ]]; then
     /usr/bin/strip -x "$relay_node" 2>/dev/null || true
   fi
   rm -rf "$relay_node_build_dir"

scripts/restart-mac.sh

@@ -15,6 +15,9 @@ LOCK_DIR="${TMPDIR:-/tmp}/clawdbot-restart-${LOCK_KEY}"
 LOCK_PID_FILE="${LOCK_DIR}/pid"
 WAIT_FOR_LOCK=0
 LOG_PATH="${CLAWDBOT_RESTART_LOG:-/tmp/clawdbot-restart.log}"
+NO_SIGN=0
+SIGN=0
+AUTO_DETECT_SIGNING=1
 
 log()  { printf '%s\n' "$*"; }
 fail() { printf 'ERROR: %s\n' "$*" >&2; exit 1; }
@@ -64,19 +67,35 @@ acquire_lock() {
   done
 }
 
+check_signing_keys() {
+  security find-identity -p codesigning -v 2>/dev/null \
+    | grep -Eq '(Developer ID Application|Apple Distribution|Apple Development)'
+}
+
 trap cleanup EXIT INT TERM
 
 for arg in "$@"; do
   case "${arg}" in
     --wait|-w) WAIT_FOR_LOCK=1 ;;
+    --no-sign) NO_SIGN=1; AUTO_DETECT_SIGNING=0 ;;
+    --sign) SIGN=1; AUTO_DETECT_SIGNING=0 ;;
     --help|-h)
-      log "Usage: $(basename "$0") [--wait]"
+      log "Usage: $(basename "$0") [--wait] [--no-sign] [--sign]"
+      log "  --wait    Wait for other restart to complete instead of exiting"
+      log "  --no-sign Force no code signing (fastest for development)"
+      log "  --sign    Force code signing (will fail if no signing key available)"
+      log ""
+      log "Default behavior: Auto-detect signing keys, fallback to --no-sign if none found"
       exit 0
       ;;
     *) ;;
   esac
 done
 
+if [[ "$NO_SIGN" -eq 1 && "$SIGN" -eq 1 ]]; then
+  fail "Cannot use --sign and --no-sign together"
+fi
+
 mkdir -p "$(dirname "$LOG_PATH")"
 rm -f "$LOG_PATH"
 exec > >(tee "$LOG_PATH") 2>&1
@@ -118,6 +137,27 @@ run_step "bundle canvas a2ui" bash -lc "cd '${ROOT_DIR}' && pnpm canvas:a2ui:bun
 run_step "clean build cache" bash -lc "cd '${ROOT_DIR}/apps/macos' && rm -rf .build .build-swift .swiftpm 2>/dev/null || true"
 run_step "swift build" bash -lc "cd '${ROOT_DIR}/apps/macos' && swift build -q --product Clawdbot"
 
+if [ "$AUTO_DETECT_SIGNING" -eq 1 ]; then
+  if check_signing_keys; then
+    log "==> Signing keys detected, will code sign"
+    SIGN=1
+  else
+    log "==> No signing keys found, will skip code signing (--no-sign)"
+    NO_SIGN=1
+  fi
+fi
+
+if [ "$NO_SIGN" -eq 1 ]; then
+  export ALLOW_ADHOC_SIGNING=1
+  export SIGN_IDENTITY="-"
+elif [ "$SIGN" -eq 1 ]; then
+  if ! check_signing_keys; then
+    fail "No signing identity found. Use --no-sign or install a signing key."
+  fi
+  unset ALLOW_ADHOC_SIGNING
+  unset SIGN_IDENTITY
+fi
+
 # 3) Package app (default to bundling the embedded gateway + CLI).
 run_step "package app" bash -lc "cd '${ROOT_DIR}' && SKIP_TSC=${SKIP_TSC:-1} SKIP_GATEWAY_PACKAGE=${SKIP_GATEWAY_PACKAGE:-0} '${ROOT_DIR}/scripts/package-mac-app.sh'"