build: ad-hoc codesign macOS binaries after compile (fix Killed:9 on Apple Silicon)

[miskaone]

Problem

On Apple Silicon, macOS SIGKILLs unsigned Mach-O executables. bun build --compile output can land unsigned (or with a malformed signature slot), so the built dist/interceptor / daemon/interceptor-daemon exit 137 ("Killed: 9") with no output, and the native-messaging daemon never stays up — every interceptor command then returns empty.

Fix

After the build, remove any existing signature and ad-hoc re-sign the produced binaries:

codesign --remove-signature "$b"; codesign --force --sign - "$b"

for dist/interceptor, daemon/interceptor-daemon, and dist/interceptor-bridge. Guarded to macOS with codesign present, so it's a no-op on Linux/Windows or CI hosts without codesign. Windows .exe outputs are not matched.

Testing

• Before: a freshly built interceptor --version exits 137 with empty output; codesign -dv dist/interceptor → "code object is not signed at all."
• After: interceptor --version prints the version (exit 0); codesign -dv → Signature=adhoc; the daemon starts and interceptor status reports daemon: running.

Ad-hoc signature only (no Developer ID / notarization) — sufficient to stop the OS kill for locally-built binaries.

Summary by CodeRabbit

• Chores
  • Enhanced the macOS build process by automatically code-signing release binaries during the build step to ensure proper security verification.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 72c6d6d5-f828-4013-b20a-c5914fe4ffeb

📥 Commits

Reviewing files that changed from the base of the PR and between 9b8c4a6 and c096b6f.

📒 Files selected for processing (1)

• scripts/build.sh

---

📝 Walkthrough

Walkthrough

scripts/build.sh gains a macOS-only post-build block that, when codesign is available, iterates over three expected binaries (dist/interceptor, daemon/interceptor-daemon, dist/interceptor-bridge), removes any existing signature (best-effort), and re-signs each with an ad-hoc signature. Missing binaries are skipped silently.

Changes

macOS Ad-hoc Code Signing

Layer / File(s)	Summary
Post-build macOS ad-hoc code signing scripts/build.sh	Appends a Darwin-only block (lines 220–232) that checks for codesign, strips existing signatures via --remove-signature, and re-signs each of the three expected Mach-O outputs with codesign --force --sign -, skipping any binary that does not exist.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Hacker-Valley-Media/Interceptor#34: Both PRs apply codesign to the same binaries in dist/ within scripts/build.sh/scripts/release-dmg.sh, directly overlapping on macOS signing behavior for the same artifacts.

Poem

🐇 A hop through the shell, a sign in the air,
With codesign in paw and a dash here and there,
The binaries shimmer, ad-hoc and bright,
No quarantine gremlins shall spoil the night.
The rabbit has stamped them—all three, with flair! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding ad-hoc code signing for macOS binaries after compilation to fix the Killed:9 exit code issue on Apple Silicon.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR aims to prevent locally-built macOS binaries (compiled via bun build --compile) from being SIGKILL’d on Apple Silicon by ensuring the produced Mach-O outputs are ad-hoc codesigned after compilation.

Changes:

• Add a post-build macOS-only ad-hoc codesign step for produced binaries in scripts/build.sh.
• Extend scripts/install.sh to support targeting the “ChatGPT Atlas” browser for profile discovery, native-messaging host installation, and extension-loading instructions.

Reviewed changes

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

File	Description
scripts/install.sh	Adds a new --atlas browser target and associated path detection / native-messaging install and extension-loading flows.
scripts/build.sh	Adds a Darwin-only post-build ad-hoc signing step intended to prevent Apple Silicon “Killed: 9” for unsigned compiled outputs.

Comments suppressed due to low confidence (1)

scripts/build.sh:148

• The codesign step can silently leave broken binaries: if codesign --force --sign - fails, the script still prints "Build complete" and exits 0. Since this signing is meant to prevent the Apple Silicon "Killed: 9" failure mode, the build should fail loudly when signing fails (and ideally avoid touching unrelated outputs when building --target=windows).

  },
  content_scripts: [
    { matches: ["<all_urls>"], js: ["net-buffer-content.js"], run_at: "document_start", all_frames: true },
    { matches: ["<all_urls>"], js: ["content.js"], run_at: "document_idle", all_frames: true }
  ]

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.