Problem
The macOS binary shipped via Homebrew is adhoc, linker-signed, so its code hash changes on every release. macOS keychain ACLs are bound to the Designated Requirement of the writing process, so every brew upgrade gogcli invalidates the ACLs of every keychain item gog has stored. Users get a flood of "gog wants to use your confidential information stored in '' in your keychain" prompts after every upgrade, even after clicking "Always Allow" the previous time.
$ codesign -dv $(which gog)
Format=Mach-O thin (arm64)
CodeDirectory v=20400 ... flags=0x20002(adhoc,linker-signed)
Signature=adhoc
TeamIdentifier=not set
Why this is the same bug you fixed in CodexBar
This is structurally identical to CodexBar #679 — adhoc-signed CLI helper not in the trusted-apps ACL of its own keychain items — except here there's no main app to fall back to, so every invocation after upgrade can re-prompt.
Requested fix
Sign the bottled binary with a stable Developer ID Application certificate as part of the release pipeline. With a stable Designated Requirement (anchor apple generic and certificate leaf[subject.CN] = "Developer ID Application: ..."), keychain ACLs survive upgrades and "Always Allow" actually means always.
Concretely:
- Add
codesign --options runtime --sign "Developer ID Application: ..." to the goreleaser/release script for darwin builds.
- Notarize + staple so Gatekeeper is happy too.
- Optionally migrate keychain writes to use
kSecAttrAccessGroup with a team-scoped entitlement so future re-keying is also painless.
Workaround for affected users (until fix ships)
For anyone hitting this now: create a self-signed code-signing cert in Keychain Access, mark it trusted for code signing, and re-sign the binary after every upgrade:
codesign -s "Your Code Signing" -f -o runtime "$(which gog)"
A launchd WatchPaths agent on /opt/homebrew/bin/gog automates the re-sign on upgrade. Happy to share the plist if useful.
Environment
- gogcli 0.15.0 (Homebrew bottle)
- macOS 15.5 / Darwin 25.3.0, Apple Silicon
Problem
The macOS binary shipped via Homebrew is
adhoc, linker-signed, so its code hash changes on every release. macOS keychain ACLs are bound to the Designated Requirement of the writing process, so everybrew upgrade gogcliinvalidates the ACLs of every keychain item gog has stored. Users get a flood of "gog wants to use your confidential information stored in '' in your keychain" prompts after every upgrade, even after clicking "Always Allow" the previous time.Why this is the same bug you fixed in CodexBar
This is structurally identical to CodexBar #679 — adhoc-signed CLI helper not in the trusted-apps ACL of its own keychain items — except here there's no main app to fall back to, so every invocation after upgrade can re-prompt.
Requested fix
Sign the bottled binary with a stable Developer ID Application certificate as part of the release pipeline. With a stable Designated Requirement (
anchor apple generic and certificate leaf[subject.CN] = "Developer ID Application: ..."), keychain ACLs survive upgrades and "Always Allow" actually means always.Concretely:
codesign --options runtime --sign "Developer ID Application: ..."to the goreleaser/release script for darwin builds.kSecAttrAccessGroupwith a team-scoped entitlement so future re-keying is also painless.Workaround for affected users (until fix ships)
For anyone hitting this now: create a self-signed code-signing cert in Keychain Access, mark it trusted for code signing, and re-sign the binary after every upgrade:
A
launchdWatchPathsagent on/opt/homebrew/bin/gogautomates the re-sign on upgrade. Happy to share the plist if useful.Environment