Skip to content

fix(release): add missing Intel V8 signing entitlement#30953

Open
malsamiri-oai wants to merge 1 commit into
mainfrom
codex/se-8006-intel-v8-entitlement
Open

fix(release): add missing Intel V8 signing entitlement#30953
malsamiri-oai wants to merge 1 commit into
mainfrom
codex/se-8006-intel-v8-entitlement

Conversation

@malsamiri-oai

Copy link
Copy Markdown
Collaborator

Why

Intel macOS release binaries crash on the first Code Mode tool call while V8 creates its code range. The x86_64 V8 allocator later makes a non-MAP_JIT reservation executable, which Hardened Runtime rejects when the signature contains only com.apple.security.cs.allow-jit.

Tracks SE-8006.
Fixes #28390.

What

  • add an expanded entitlement profile only for x86_64 codex and codex-app-server, the release binaries that link V8
  • keep arm64 and codex-responses-api-proxy on the existing narrower profile
  • share one fail-closed target/binary selector between signing and final verification
  • verify the expected Mach-O architecture and exact entitlement dictionary for the signed binary, tar.gz, zstd, package, and DMG copies

Verification

  • just test-github-scripts (34 tests)
  • UV_CACHE_DIR=/private/tmp/codex-uv-cache just fmt-check
  • bash -n .github/scripts/macos-signing/select_codex_entitlements.sh
  • plutil -lint on both entitlement profiles
  • parsed rust-release.yml as YAML
  • git diff --check
  • ad-hoc Hardened Runtime signing smoke on an x86_64 Mach-O slice: strict codesign verification passed; the Codex profile contained exactly both keys and the proxy profile retained exactly allow-jit

Release validation

Run a native Intel smoke of the final Developer ID-signed x86_64 Codex binary through V8 isolate creation before shipping. PR #30849 is diagnostic scaffolding, but its non-sandbox release job currently fails in the harness before V8 starts, so it is not counted as coverage here.

@malsamiri-oai malsamiri-oai requested a review from a team as a code owner July 2, 2026 21:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant