TrimMyMac is signed with a named self-signed Code Signing certificate so
that the app's Designated Requirement (identifier + leaf cert) stays stable
across rebuilds. This is what lets the Full Disk Access (TCC) grant survive
scripts/build-app.sh runs. Ad-hoc signing (codesign -s -) bakes the cdhash
into the DR, so every rebuild looks like a brand-new app and FDA is lost.
- Open Keychain Access.
- Menu: Keychain Access ▸ Certificate Assistant ▸ Create a Certificate…
- Name: TrimMyMac Self-Signed Identity Type: Self Signed Root Certificate Type: Code Signing (optionally tick "Let me override defaults" to bump validity to e.g. 3650 days)
- Click Create, accept, Done. The cert + private key land in the login keychain.
security find-identity -v -p codesigning
# Expect a line like:
# 1) <40-hex> "TrimMyMac Self-Signed"The first codesign may prompt "codesign wants to use key ... in your keychain".
Click Always Allow. To pre-authorize non-interactively:
security set-key-partition-list \
-S apple-tool:,apple: \
-s -k "<your-login-keychain-password>" \
~/Library/Keychains/login.keychain-dbscripts/build-app.sh reads the identity name from $CODESIGN_IDENTITY
(default "TrimMyMac Self-Signed") and runs:
codesign --force -s "$CODESIGN_IDENTITY" --identifier com.hbh0112.trimmymac <app>
Note: not --deep (it re-signs nested code and is deprecated) and
not ad-hoc -s -.