Skip to content

Clear ad-hoc keychain caches #673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
magnaprog wants to merge 1 commit into
base: main
Choose a base branch
from
+21 −6
Open

Clear ad-hoc keychain caches #673

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 13 additions & 6 deletions Scripts/compile_and_run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,14 @@ SIGNING_MODE="${CODEXBAR_SIGNING:-}"
log() { printf '%s\n' "$*"; }
fail() { printf 'ERROR: %s\n' "$*" >&2; exit 1; }

delete_keychain_service_items() {
local service="$1"
security delete-generic-password -s "${service}" >/dev/null 2>&1 || true
while security delete-generic-password -s "${service}" >/dev/null 2>&1; do
:
done
}

has_signing_identity() {
local identity="${1:-}"
if [[ -z "${identity}" ]]; then
Expand Down Expand Up @@ -180,12 +188,11 @@ kill_claude_probes
# 2.5) Delete keychain entries to avoid permission prompts with adhoc signing
# (adhoc signature changes on every build, making old keychain entries inaccessible)
if [[ "${SIGNING_MODE:-adhoc}" == "adhoc" ]]; then
log "==> Clearing keychain entries (adhoc signing)"
security delete-generic-password -s "com.steipete.CodexBar" 2>/dev/null || true
# Clear all keychain items for the app to avoid multiple prompts
while security delete-generic-password -s "com.steipete.CodexBar" 2>/dev/null; do
:
done
log "==> Clearing CodexBar keychain entries (adhoc signing)"
# Clear both the legacy keychain store and the current cache service. Leaving CodexBar-owned caches behind causes
# fresh adhoc-signed builds to re-open stale ACLs and repeatedly prompt for keychain access/password approval.
delete_keychain_service_items "com.steipete.CodexBar"
delete_keychain_service_items "com.steipete.codexbar.cache"
fi

# 3) Package (release build happens inside package_app.sh).
Expand Down
8 changes: 8 additions & 0 deletions docs/DEVELOPMENT_SETUP.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ When developing CodexBar, you may see frequent keychain permission prompts like:
> **CodexBar wants to access key "Claude Code-credentials" in your keychain.**

This happens because each rebuild creates a new code signature, and macOS treats it as a "different" app.
That can affect both CodexBar-owned entries (`com.steipete.CodexBar`, `com.steipete.codexbar.cache`) and
third-party items such as `Claude Code-credentials`, so an ad-hoc-signed rebuild can keep re-triggering
password/keychain approval dialogs even after you previously chose **Always Allow**.

### Quick Fix (Temporary)

Expand Down Expand Up @@ -101,6 +104,11 @@ This script:
5. Launches `CodexBar.app`
6. Verifies it stays running

When the script falls back to ad-hoc signing, it also clears CodexBar-owned keychain services before relaunching so
the new build does not inherit stale ACLs from the previous app identity.
This reduces repeat prompts for CodexBar-managed cache entries, but third-party keychain items still need stable
signing if you want macOS to remember **Always Allow** across rebuilds.

### Quick Build (No Tests)

```bash
Expand Down