forked from Selig/openclaw-skill
Selig
4c966a3ad2
6 custom skills (assign-task, dispatch-webhook, daily-briefing, task-capture, qmd-brain, tts-voice) with technical documentation. Compatible with Claude Code, OpenClaw, Codex CLI, and OpenCode.
36 lines
1.5 KiB
Markdown
36 lines
1.5 KiB
Markdown
# macOS Signing
|
|
|
|
## Overview
|
|
|
|
The macOS signing process for OpenClaw is automated through build scripts that handle code signing, bundle identification, and metadata injection.
|
|
|
|
## Key Components
|
|
|
|
**Main Script**: `scripts/package-mac-app.sh` orchestrates the packaging and signing workflow, requiring Node 22+ for TypeScript and Control UI builds.
|
|
|
|
**Signing Identity**: The process reads the `SIGN_IDENTITY` environment variable. Developers can configure a persistent signing certificate by exporting this value in their shell configuration.
|
|
|
|
## Core Functionality
|
|
|
|
The packaging script performs several tasks:
|
|
|
|
1. Establishes a stable debug bundle identifier (`ai.openclaw.mac.debug`)
|
|
2. Updates Info.plist with the bundle identifier
|
|
3. Invokes `codesign-mac-app.sh` to sign binaries and the app bundle
|
|
4. Implements timestamping for Developer ID signatures (configurable via `CODESIGN_TIMESTAMP`)
|
|
5. Injects build metadata (`OpenClawBuildTimestamp` and `OpenClawGitCommit`)
|
|
6. Validates Team ID consistency across all Mach-O files
|
|
|
|
## Signing Options
|
|
|
|
| Option | Configuration |
|
|
|--------|---------------|
|
|
| Auto-selection | Run script without environment variables |
|
|
| Production certificates | `SIGN_IDENTITY="Developer ID Application: Name"` |
|
|
| Ad-hoc signing | `ALLOW_ADHOC_SIGNING=1` or `SIGN_IDENTITY="-"` |
|
|
| Offline builds | `CODESIGN_TIMESTAMP=off` |
|
|
|
|
## Important Caveat
|
|
|
|
Ad-hoc signatures automatically disable the Hardened Runtime to prevent framework loading failures. This approach compromises TCC permission persistence between rebuilds.
|