codex

clone/codex

Fork 0

mirror of https://github.com/openai/codex.git synced 2026-05-02 18:37:01 +00:00

Commit Graph

Author	SHA1	Message	Date
jif-oai	21463a5074	fix alpha build (#19350 )	2026-04-24 13:36:05 +02:00
Ruslan Nigmatullin	e9165b9f40	ci: add macOS keychain entitlements (#19167 ) ## Summary - add macOS application and team identifiers to the release signing entitlements - add a Codex keychain access group for release-signed macOS binaries - keep the existing JIT entitlement unchanged ## Why Codex release binaries are signed with the OpenAI Developer ID team, but the current entitlements plist only grants JIT. macOS Keychain and Secure Enclave operations that create persistent keys can require the process to carry an application identifier and keychain access group. Adding these entitlements gives release-signed binaries a stable Keychain namespace for Codex-owned device keys. ## Validation - `plutil -lint .github/actions/macos-code-sign/codex.entitlements.plist`	2026-04-23 11:20:58 -07:00
Channing Conger	c23566b3af	Add JIT entitlement for macosx (#15409 ) Without this entitlement, hardened mac os release binaries are unable to allocate the executable memory for the JIT compiled JS. Tested with local signing. Without entitlement I reproduce the error: ``` # # Fatal process out of memory: Failed to reserve virtual memory for CodeRange # ==== C stack trace =============================== 0 codex 0x00000001075d1acc codex + 85760716 1 codex 0x00000001075d6a64 codex + 85781092 2 codex 0x00000001075c7100 codex + 85717248 3 codex 0x0000000107637394 codex + 86176660 4 codex 0x0000000107823cfc codex + 88194300 5 codex 0x000000010777c438 codex + 87508024 6 codex 0x000000010777d130 codex + 87511344 7 codex 0x0000000107c87a54 codex + 92797524 8 codex 0x0000000107641188 codex + 86217096 9 codex 0x00000001076412d8 codex + 86217432 10 codex 0x0000000107553908 codex + 85244168 11 codex 0x000000010465f124 codex + 36008228 12 codex 0x000000010466a0d0 codex + 36053200 13 codex 0x000000010466ce78 codex + 36064888 14 codex 0x000000010734edb0 codex + 83127728 15 libsystem_pthread.dylib 0x00000001810d3c08 _pthread_start + 136 16 libsystem_pthread.dylib 0x00000001810ceba8 thread_start + 8 zsh: trace trap target/release/codex exec --enable code_mode_only --enable code_mode -- ``` With the entitlement the exec succeeds.	2026-03-21 13:43:14 -07:00

Author

SHA1

Message

Date

jif-oai

21463a5074

fix alpha build (#19350 )

2026-04-24 13:36:05 +02:00

Ruslan Nigmatullin

e9165b9f40

ci: add macOS keychain entitlements (#19167 )

## Summary

- add macOS application and team identifiers to the release signing
entitlements
- add a Codex keychain access group for release-signed macOS binaries
- keep the existing JIT entitlement unchanged

## Why

Codex release binaries are signed with the OpenAI Developer ID team, but
the current entitlements plist only grants JIT. macOS Keychain and
Secure Enclave operations that create persistent keys can require the
process to carry an application identifier and keychain access group.
Adding these entitlements gives release-signed binaries a stable
Keychain namespace for Codex-owned device keys.

## Validation

- `plutil -lint
.github/actions/macos-code-sign/codex.entitlements.plist`

2026-04-23 11:20:58 -07:00

Channing Conger

c23566b3af

Add JIT entitlement for macosx (#15409 )

Without this entitlement, hardened mac os release binaries are unable to
allocate the executable memory for the JIT compiled JS.

Tested with local signing.  Without entitlement I reproduce the error:
```
#
# Fatal process out of memory: Failed to reserve virtual memory for CodeRange
#
==== C stack trace ===============================

    0   codex                               0x00000001075d1acc codex + 85760716
    1   codex                               0x00000001075d6a64 codex + 85781092
    2   codex                               0x00000001075c7100 codex + 85717248
    3   codex                               0x0000000107637394 codex + 86176660
    4   codex                               0x0000000107823cfc codex + 88194300
    5   codex                               0x000000010777c438 codex + 87508024
    6   codex                               0x000000010777d130 codex + 87511344
    7   codex                               0x0000000107c87a54 codex + 92797524
    8   codex                               0x0000000107641188 codex + 86217096
    9   codex                               0x00000001076412d8 codex + 86217432
    10  codex                               0x0000000107553908 codex + 85244168
    11  codex                               0x000000010465f124 codex + 36008228
    12  codex                               0x000000010466a0d0 codex + 36053200
    13  codex                               0x000000010466ce78 codex + 36064888
    14  codex                               0x000000010734edb0 codex + 83127728
    15  libsystem_pthread.dylib             0x00000001810d3c08 _pthread_start + 136
    16  libsystem_pthread.dylib             0x00000001810ceba8 thread_start + 8
zsh: trace trap  target/release/codex exec --enable code_mode_only --enable code_mode --
```

With the entitlement the exec succeeds.

2026-03-21 13:43:14 -07:00

3 Commits