From 7619cdf1e9b178a70ef240f564f9238c854e62ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Benoit?= Date: Sat, 16 May 2026 15:14:40 +0200 Subject: [PATCH 1/3] fix(nix): re-inherit patches in desktop, ad-hoc sign .app on darwin Two regressions from #16163: 1. The Tauri-era derivation inherited 'patches' from opencode; the Electron derivation dropped it. Flake consumers' overrideAttrs patches no longer reach the desktop build, even though packages/desktop/scripts/prepare.ts imports @opencode-ai/script and so depends on patches landed on packages/script/. 2. electron-builder is invoked with --config.mac.identity=null, which skips signing entirely (no ad-hoc fallback). macOS rejects unsigned binaries with code signature invalid. Re-sign ad-hoc in postFixup on darwin. Linux unaffected: postFixup is darwin-only; re-inheriting patches is a no-op when no patches are layered on opencode. Closes #27868 --- nix/desktop.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/nix/desktop.nix b/nix/desktop.nix index c7ae65ada77a..30d4cca7fbda 100644 --- a/nix/desktop.nix +++ b/nix/desktop.nix @@ -14,7 +14,12 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "opencode-desktop"; - inherit (opencode) version src node_modules; + inherit (opencode) + version + src + node_modules + patches + ; nativeBuildInputs = [ bun @@ -89,6 +94,12 @@ stdenv.mkDerivation (finalAttrs: { runHook postInstall ''; + # --config.mac.identity=null above skips signing; macOS refuses to + # launch unsigned binaries — re-sign ad-hoc here. + postFixup = lib.optionalString stdenv.hostPlatform.isDarwin '' + /usr/bin/codesign --force --deep --sign - "$out/Applications/OpenCode.app" + ''; + autoPatchelfIgnoreMissingDeps = [ "libc.musl-x86_64.so.1" ]; From d158ba3c1beff93592c7fce3831958edd3b34a50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Benoit?= Date: Sat, 16 May 2026 20:30:18 +0200 Subject: [PATCH 2/3] fix(nix): use darwin.autoSignDarwinBinariesHook instead of manual codesign Per review feedback (gigamonster256): replace the ad-hoc `/usr/bin/codesign --force --deep --sign -` postFixup with the standard nixpkgs hook `darwin.autoSignDarwinBinariesHook`. The hook walks the output and ad-hoc signs every Mach-O via `codesign -f -s -` (through sigtool / signIfRequired), which is the established pattern for electron-builder source builds on darwin (see e.g. bitwarden-desktop). The bundle seal that `--deep` produces (Contents/_CodeSignature/ CodeResources) is not required here: Gatekeeper does not enforce it for ad-hoc signatures on binaries without the quarantine xattr, which is always the case under /nix/store. --- nix/desktop.nix | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/nix/desktop.nix b/nix/desktop.nix index 30d4cca7fbda..1ff6a7bcc924 100644 --- a/nix/desktop.nix +++ b/nix/desktop.nix @@ -3,6 +3,7 @@ stdenv, bun, nodejs, + darwin, electron_41, makeWrapper, writableTmpDirAsHomeHook, @@ -28,6 +29,17 @@ stdenv.mkDerivation (finalAttrs: { writableTmpDirAsHomeHook ] ++ lib.optionals stdenv.hostPlatform.isLinux [ autoPatchelfHook + ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ + # `--config.mac.identity=null` below skips signing entirely. macOS refuses + # to launch unsigned binaries with `code signature invalid`, so re-sign + # ad-hoc. This hook walks every output and runs `codesign -f -s -` on each + # Mach-O via sigtool's `signIfRequired`, matching the pattern used by + # bitwarden-desktop for the same scenario (electron-builder source build + # whose binaries are modified by the build). The bundle seal produced by + # `codesign --deep` (Contents/_CodeSignature/CodeResources) is not required + # here — Gatekeeper does not enforce it for ad-hoc signatures on binaries + # without the quarantine xattr, which is always the case under /nix/store. + darwin.autoSignDarwinBinariesHook ]; buildInputs = lib.optionals stdenv.hostPlatform.isLinux [ @@ -94,12 +106,6 @@ stdenv.mkDerivation (finalAttrs: { runHook postInstall ''; - # --config.mac.identity=null above skips signing; macOS refuses to - # launch unsigned binaries — re-sign ad-hoc here. - postFixup = lib.optionalString stdenv.hostPlatform.isDarwin '' - /usr/bin/codesign --force --deep --sign - "$out/Applications/OpenCode.app" - ''; - autoPatchelfIgnoreMissingDeps = [ "libc.musl-x86_64.so.1" ]; From 70db6465ff64baf70282fc1cecbb33ad3397e1aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Benoit?= Date: Sat, 16 May 2026 20:33:05 +0200 Subject: [PATCH 3/3] fix(nix): trim verbose comment on autoSignDarwinBinariesHook --- nix/desktop.nix | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/nix/desktop.nix b/nix/desktop.nix index 1ff6a7bcc924..d0d7fa7eca1f 100644 --- a/nix/desktop.nix +++ b/nix/desktop.nix @@ -30,15 +30,7 @@ stdenv.mkDerivation (finalAttrs: { ] ++ lib.optionals stdenv.hostPlatform.isLinux [ autoPatchelfHook ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ - # `--config.mac.identity=null` below skips signing entirely. macOS refuses - # to launch unsigned binaries with `code signature invalid`, so re-sign - # ad-hoc. This hook walks every output and runs `codesign -f -s -` on each - # Mach-O via sigtool's `signIfRequired`, matching the pattern used by - # bitwarden-desktop for the same scenario (electron-builder source build - # whose binaries are modified by the build). The bundle seal produced by - # `codesign --deep` (Contents/_CodeSignature/CodeResources) is not required - # here — Gatekeeper does not enforce it for ad-hoc signatures on binaries - # without the quarantine xattr, which is always the case under /nix/store. + # Ad-hoc sign the .app: --config.mac.identity=null below skips signing. darwin.autoSignDarwinBinariesHook ];