From b5706cbb9972cc93115aa198d1bee4828ede2209 Mon Sep 17 00:00:00 2001 From: Natalie Date: Sun, 17 May 2026 23:41:30 -0700 Subject: [PATCH] =?UTF-8?q?fix(@applications/mac-sync):=20=F0=9F=90=9B=20f?= =?UTF-8?q?ix=20identity=20validation=20logic?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Lilith Autocommit --- deploy/install.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/deploy/install.sh b/deploy/install.sh index 933cbf6..77784d1 100755 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -192,9 +192,14 @@ ensure_signing_identity() { # 2. Prefer the self-signed "Quinn Norton" identity. SIGNING_IDENTITY="$SIGNING_IDENTITY_FALLBACK" - # Count how many valid signing identities are in the dedicated keychain. + # Count how many signing identities are in the dedicated keychain. + # NOTE: we deliberately omit -v (valid-only filter). The self-signed + # cert is not in System trust settings — find-identity -v returns 0 + # for it, which would loop-regenerate the cert every install and + # invalidate TCC grants (FDA, AppleEvents, etc.) bound to the old + # cert hash. Without -v we still match the cert by label and identifier. local identity_count - identity_count=$(security find-identity -p codesigning -v "$MAC_SYNC_KEYCHAIN_PATH" 2>/dev/null | grep -c "\"$SIGNING_IDENTITY\"" || true) + identity_count=$(security find-identity -p codesigning "$MAC_SYNC_KEYCHAIN_PATH" 2>/dev/null | grep -c "\"$SIGNING_IDENTITY\"" || true) if [[ "$identity_count" -eq 1 ]]; then print_success "Code-signing identity '$SIGNING_IDENTITY' already in keychain"