fix: harden restart-mac signing (#580) (thanks @jeffersonwarrior)

CHANGELOG.md

@@ -37,6 +37,7 @@
 - Gateway/Control UI: make `chat.send` non-blocking, wire Stop to `chat.abort`, and treat `/stop` as an out-of-band abort. (#653)
 - Gateway/Control UI: allow `chat.abort` without `runId` (abort active runs), suppress post-abort chat streaming, and prune stuck chat runs. (#653)
 - Gateway/Control UI: sniff image attachments for chat.send, drop non-images, and log mismatches. (#670) — thanks @cristip73.
+- macOS: force `restart-mac.sh --sign` to require identities and keep bundled Node signed for relay verification. (#580) — thanks @jeffersonwarrior.
 - Gateway/Agent: accept image attachments on `agent` (multimodal message) and add live gateway image probe (`CLAWDBOT_LIVE_GATEWAY_IMAGE_PROBE=1`).
 - CLI: `clawdbot sessions` now includes `elev:*` + `usage:*` flags in the table output.
 - CLI/Pairing: accept positional provider for `pairing list|approve` (npm-run compatible); update docs/bot hints.

scripts/package-mac-app.sh

@@ -294,7 +294,7 @@ package_relay_node() {
     cp "$relay_node_build_dir/node-${BUILD_ARCHS[0]}" "$relay_node"
   fi
   chmod +x "$relay_node"
-  if [[ "${STRIP_NODE:-1}" == "1" ]]; then
+  if [[ "${STRIP_NODE:-0}" == "1" ]]; then
     /usr/bin/strip -x "$relay_node" 2>/dev/null || true
   fi
   rm -rf "$relay_node_build_dir"

scripts/restart-mac.sh

@@ -68,14 +68,8 @@ acquire_lock() {
 }
 
 check_signing_keys() {
-  local available_identities
-  available_identities="$(security find-identity -p codesigning -v 2>/dev/null | grep -E '(Developer ID Application|Apple Distribution|Apple Development)' || true)"
-  
-  if [ -n "$available_identities" ]; then
-    return 0
-  else
-    return 1
-  fi
+  security find-identity -p codesigning -v 2>/dev/null \
+    | grep -Eq '(Developer ID Application|Apple Distribution|Apple Development)'
 }
 
 trap cleanup EXIT INT TERM
@@ -98,6 +92,10 @@ for arg in "$@"; do
   esac
 done
 
+if [[ "$NO_SIGN" -eq 1 && "$SIGN" -eq 1 ]]; then
+  fail "Cannot use --sign and --no-sign together"
+fi
+
 mkdir -p "$(dirname "$LOG_PATH")"
 rm -f "$LOG_PATH"
 exec > >(tee "$LOG_PATH") 2>&1
@@ -153,6 +151,9 @@ if [ "$NO_SIGN" -eq 1 ]; then
   export ALLOW_ADHOC_SIGNING=1
   export SIGN_IDENTITY="-"
 elif [ "$SIGN" -eq 1 ]; then
+  if ! check_signing_keys; then
+    fail "No signing identity found. Use --no-sign or install a signing key."
+  fi
   unset ALLOW_ADHOC_SIGNING
   unset SIGN_IDENTITY
 fi

src/cli/update-cli.test.ts

@@ -26,15 +26,13 @@ vi.mock("../runtime.js", () => ({
 }));
 
 describe("update-cli", () => {
-  it(
-    "exports updateCommand and registerUpdateCli",
-    async () => {
-      const { updateCommand, registerUpdateCli } = await import("./update-cli.js");
-      expect(typeof updateCommand).toBe("function");
-      expect(typeof registerUpdateCli).toBe("function");
-    },
-    20_000,
-  );
+  it("exports updateCommand and registerUpdateCli", async () => {
+    const { updateCommand, registerUpdateCli } = await import(
+      "./update-cli.js"
+    );
+    expect(typeof updateCommand).toBe("function");
+    expect(typeof registerUpdateCli).toBe("function");
+  }, 20_000);
 
   it("updateCommand runs update and outputs result", async () => {
     const { runGatewayUpdate } = await import("../infra/update-runner.js");