Skip to content

installMacOS.bash: detect expired cert and stop nuking the source tree#909

Open
mairas wants to merge 1 commit into
yaqwsx:masterfrom
mairas:fix/installMacOS-robustness
Open

installMacOS.bash: detect expired cert and stop nuking the source tree#909
mairas wants to merge 1 commit into
yaqwsx:masterfrom
mairas:fix/installMacOS-robustness

Conversation

@mairas

@mairas mairas commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Two papercuts that bit me on a second -e install today.

  • codesign reports an expired self-signed identity as no identity found, costing a lot of debugging time. Pre-flight check rejects an expired/missing cert with a clear message and a hint to recreate it with a long validity period. Multiple certs sharing the common name are tolerated — the install proceeds if any of them is still valid, since codesign will pick one of those.
  • KiCad ships pip 22.0.4 with its bundled framework Python. With legacy setuptools, pip install -e . registers source-tree files in the install RECORD, so the next install's uninstall step then deletes the working copy before the new install runs. Pre-uninstall any existing kikit from a scratch directory so a bogus RECORD has nothing local to harm.

Both checks are no-ops on a clean first run.

Test plan

  • Cert check: valid identity → proceed.
  • Cert check: no matching cert → clear error, exit 1.
  • Cert check: all matching certs expired → clear error with the latest end date, exit 1.
  • Pre-uninstall block: re-running sudo ./scripts/installMacOS.bash -e against an existing editable install on macOS 26.3.1 + KiCad 10.0.1 no longer deletes the source tree.

🤖 Generated with Claude Code

… RECORD bug

`codesign` reports an expired self-signed code-signing identity as
"no identity found", which is misleading and a known source of long
debugging sessions. Verify that at least one certificate with the
configured common name is unexpired before invoking codesign, and abort
with an actionable message otherwise (recreate the cert, ideally with a
multi-year validity period).

Additionally, KiCad ships pip 22.0.4 with its bundled framework Python.
Combined with legacy setuptools, `pip install -e .` registers source-tree
files in the install RECORD. A subsequent reinstall therefore uninstalls
the previous version using that RECORD and silently deletes the source
checkout before the new install runs. Pre-emptively uninstall any
existing kikit from a scratch directory so any stale relative paths in
the RECORD resolve to nothing and cannot harm the source tree.

Both checks are no-ops on a healthy first run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant