Skip to content

fix(nix): re-inherit patches in desktop, ad-hoc sign .app on darwin#27869

Open
jerome-benoit wants to merge 7 commits into
anomalyco:devfrom
jerome-benoit:fix/nix-desktop-patches-darwin-codesign
Open

fix(nix): re-inherit patches in desktop, ad-hoc sign .app on darwin#27869
jerome-benoit wants to merge 7 commits into
anomalyco:devfrom
jerome-benoit:fix/nix-desktop-patches-darwin-codesign

Conversation

@jerome-benoit
Copy link
Copy Markdown
Contributor

@jerome-benoit jerome-benoit commented May 16, 2026
edited
Loading

Issue for this PR

Closes #27868

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Two fixes to nix/desktop.nix for regressions from #16163:

  1. Re-add patches to inherit (opencode) .... Lost in the Tauri→Electron rewrite. packages/desktop/scripts/prepare.ts imports @opencode-ai/script, so consumers' overrideAttrs patches on packages/script/ need to reach the desktop build's patchPhase.

  2. Ad-hoc sign the .app on darwin via darwin.autoSignDarwinBinariesHook. electron-builder's --config.mac.identity=null produces an unsigned bundle; macOS refuses to launch it. Same pattern as bitwarden-desktop. No-op on Linux.

How did you verify your code works?

  • Same hook applied via overrideAttrs on opencode-desktop in my home-manager config: builds and launches on aarch64-darwin (macOS 14, Apple Silicon).
  • Patch propagation verified by overlaying a patch on packages/script/ via overrideAttrs and confirming the desktop derivation's patchPhase applies it.

Screenshots / recordings

N/A — build fix.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@jerome-benoit
fix(nix): re-inherit patches in desktop, ad-hoc sign .app on darwin
7619cdf 
Two regressions from anomalyco#16163:

1. The Tauri-era derivation inherited 'patches' from opencode; the
   Electron derivation dropped it. Flake consumers' overrideAttrs
   patches no longer reach the desktop build, even though
   packages/desktop/scripts/prepare.ts imports @opencode-ai/script
   and so depends on patches landed on packages/script/.

2. electron-builder is invoked with --config.mac.identity=null, which
   skips signing entirely (no ad-hoc fallback). macOS rejects unsigned
   binaries with code signature invalid. Re-sign ad-hoc in postFixup
   on darwin.

Linux unaffected: postFixup is darwin-only; re-inheriting patches is
a no-op when no patches are layered on opencode.

Closes anomalyco#27868
Copilot AI review requested due to automatic review settings May 16, 2026 13:15
Copilot AI reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Restores patches inheritance and adds an ad-hoc codesign step on darwin to nix/desktop.nix, fixing two regressions introduced by the Tauri→Electron migration in #16163.

Changes:

  • Re-inherit patches from opencode so consumer-layered patches reach the desktop build.
  • Add a darwin-only postFixup that ad-hoc signs the produced .app bundle, since --config.mac.identity=null leaves it unsigned.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gigamonster256
Copy link
Copy Markdown
Contributor

gigamonster256 commented May 16, 2026

patches addition looks good, perhaps use darwin.autoSignDarwinBinariesHook instead of non-standard signing fixup

@jerome-benoit
fix(nix): use darwin.autoSignDarwinBinariesHook instead of manual cod…
d158ba3 
…esign

Per review feedback (gigamonster256): replace the ad-hoc
`/usr/bin/codesign --force --deep --sign -` postFixup with the standard
nixpkgs hook `darwin.autoSignDarwinBinariesHook`. The hook walks the
output and ad-hoc signs every Mach-O via `codesign -f -s -` (through
sigtool / signIfRequired), which is the established pattern for
electron-builder source builds on darwin (see e.g. bitwarden-desktop).

The bundle seal that `--deep` produces (Contents/_CodeSignature/
CodeResources) is not required here: Gatekeeper does not enforce it
for ad-hoc signatures on binaries without the quarantine xattr, which
is always the case under /nix/store.
@jerome-benoit
Copy link
Copy Markdown
Contributor Author

jerome-benoit commented May 16, 2026
edited
Loading

Thanks @gigamonster256 — pushed d158ba3 using darwin.autoSignDarwinBinariesHook (same pattern as bitwarden-desktop). Verified locally by applying the same hook via overrideAttrs on opencode-desktop: builds and launches on aarch64-darwin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

contributor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

nix(desktop): patches not re-applied after Electron migration; .app unsigned on darwin

3 participants

@jerome-benoit @gigamonster256