update metadata and move install into scripts dir#2
Merged
Conversation
staylor
added a commit
to staylor/agent-skill
that referenced
this pull request
May 5, 2026
…on smoke test Three independently-motivated bug fixes in scripts/install.sh: 1. macOS Apple Silicon: nightly Mach-O is SIGKILLed at exec The lightpanda-aarch64-macos asset is killed by the kernel even with an ad-hoc / linker signature; ad-hoc re-signing locally does not help. Reproducing on M3 Pro / macOS 14.x; should be uniform across Apple Silicon but not directly tested on M1/M2/M4. Route ONLY Apple Silicon through the upstream Homebrew tap (lightpanda-io/browser/lightpanda), which builds from source. Intel macOS keeps the GitHub Release Mach-O path — I don't have an Intel Mac to test, the kernel-signing path is different on x86_64, and switching working users to a brew dependency unprompted would be over-aggressive. 2. Failed reruns destroy existing working binary SKILL.md documents reruns as the update path, but curl -L -o "$INSTALL_DIR/$BINARY_NAME" overwrites the install target during download. Atomic install via mktemp + verify + smoke-test + mv preserves the existing binary on any failure. 3. --version smoke test silently accepts broken binaries Lightpanda's CLI has no --version flag; running it logs '$msg=exit err=UnknownCommand' and exits 1. The current 2>/dev/null + --help fallback masks this, and the head -1 pipe at the end of the test means it succeeds on broken binaries that produce no output. Use the 'version' subcommand and capture stderr to surface real diagnostics like 'GLIBC_2.32 not found' on failure. Smaller adjacent changes, each tightly motivated by the three above: - set -euo pipefail (was set -e); curl -fSL (was -sL/-L). pipefail + -f propagate curl HTTP errors through curl | jq, replacing the misleading 'could not retrieve checksum' message. - chmod 0755 instead of chmod a+x. Required because fix lightpanda-io#2 uses mktemp (0600); chmod a+x on top yields 0711 (owner-only readable). - Apple Silicon PATH-shadow warning. A user upgrading from a pre- this-PR version still has a broken ~/.local/bin/lightpanda from the SIGKILL Mach-O, which shadows the new working brew binary in PATH — without the warning they still get SIGKILL after a successful brew install. - LIGHTPANDA_DIR warning on Apple Silicon (brew owns the install path; the variable is silently ignored without this). - SKILL.md Install section: per-OS callout describing the flow split. Intentionally not included (offered as follow-ups): - Optional $GITHUB_TOKEN for API quota - PATH-shadow check on the shared download flow
staylor
added a commit
to staylor/agent-skill
that referenced
this pull request
May 5, 2026
…on smoke test Three independently-motivated bug fixes in scripts/install.sh: 1. macOS Apple Silicon: nightly Mach-O is SIGKILLed at exec The lightpanda-aarch64-macos asset is killed by the kernel even with an ad-hoc / linker signature; ad-hoc re-signing locally does not help. Reproducing on M3 Pro / macOS 14.x; should be uniform across Apple Silicon but not directly tested on M1/M2/M4. Route ONLY Apple Silicon through the upstream Homebrew tap (lightpanda-io/browser/lightpanda), which builds from source. Intel macOS keeps the GitHub Release Mach-O path — I don't have an Intel Mac to test, the kernel-signing path is different on x86_64, and switching working users to a brew dependency unprompted would be over-aggressive. 2. Failed reruns destroy existing working binary SKILL.md documents reruns as the update path, but curl -L -o "$INSTALL_DIR/$BINARY_NAME" overwrites the install target during download. Atomic install via mktemp + verify + smoke-test + mv preserves the existing binary on any failure. 3. --version smoke test silently accepts broken binaries Lightpanda's CLI has no --version flag; running it logs '$msg=exit err=UnknownCommand' and exits 1. The current 2>/dev/null + --help fallback masks this, and the head -1 pipe at the end of the test means it succeeds on broken binaries that produce no output. Use the 'version' subcommand and capture stderr to surface real diagnostics like 'GLIBC_2.32 not found' on failure. Smaller adjacent changes, each tightly motivated by the three above: - set -euo pipefail (was set -e); curl -fSL (was -sL/-L). pipefail + -f propagate curl HTTP errors through curl | jq, replacing the misleading 'could not retrieve checksum' message. - chmod 0755 instead of chmod a+x. Required because fix lightpanda-io#2 uses mktemp (0600); chmod a+x on top yields 0711 (owner-only readable). - Apple Silicon PATH-shadow warning. A user upgrading from a pre- this-PR version still has a broken ~/.local/bin/lightpanda from the SIGKILL Mach-O, which shadows the new working brew binary in PATH — without the warning they still get SIGKILL after a successful brew install. - LIGHTPANDA_DIR warning on Apple Silicon (brew owns the install path; the variable is silently ignored without this). - SKILL.md Install section: per-OS callout describing the flow split. Intentionally not included (offered as follow-ups): - Optional $GITHUB_TOKEN for API quota - PATH-shadow check on the shared download flow
staylor
added a commit
to staylor/agent-skill
that referenced
this pull request
May 5, 2026
…on smoke test Three independently-motivated bug fixes in scripts/install.sh: 1. macOS Apple Silicon: nightly Mach-O is SIGKILLed at exec The lightpanda-aarch64-macos asset is killed by the kernel even with an ad-hoc / linker signature; ad-hoc re-signing locally does not help. Reproducing on M3 Pro / macOS 14.x; should be uniform across Apple Silicon but not directly tested on M1/M2/M4. Route ONLY Apple Silicon through the upstream Homebrew tap (lightpanda-io/browser/lightpanda), which builds from source. Intel macOS keeps the GitHub Release Mach-O path — I don't have an Intel Mac to test, the kernel-signing path is different on x86_64, and switching working users to a brew dependency unprompted would be over-aggressive. 2. Failed reruns destroy existing working binary SKILL.md documents reruns as the update path, but curl -L -o "$INSTALL_DIR/$BINARY_NAME" overwrites the install target during download. Atomic install via mktemp + verify + smoke-test + mv preserves the existing binary on any failure. 3. --version smoke test silently accepts broken binaries Lightpanda's CLI has no --version flag; running it logs '$msg=exit err=UnknownCommand' and exits 1. The current 2>/dev/null + --help fallback masks this, and the head -1 pipe at the end of the test means it succeeds on broken binaries that produce no output. Use the 'version' subcommand and capture stderr to surface real diagnostics like 'GLIBC_2.32 not found' on failure. Smaller adjacent changes, each tightly motivated by the three above: - set -euo pipefail (was set -e); curl -fSL (was -sL/-L). pipefail + -f propagate curl HTTP errors through curl | jq, replacing the misleading 'could not retrieve checksum' message. - chmod 0755 instead of chmod a+x. Required because fix lightpanda-io#2 uses mktemp (0600); chmod a+x on top yields 0711 (owner-only readable). - Apple Silicon PATH-shadow warning. A user upgrading from a pre- this-PR version still has a broken ~/.local/bin/lightpanda from the SIGKILL Mach-O, which shadows the new working brew binary in PATH — without the warning they still get SIGKILL after a successful brew install. - LIGHTPANDA_DIR warning on Apple Silicon (brew owns the install path; the variable is silently ignored without this). - SKILL.md Install section: per-OS callout describing the flow split. Intentionally not included (offered as follow-ups): - Optional $GITHUB_TOKEN for API quota - PATH-shadow check on the shared download flow
staylor
added a commit
to staylor/agent-skill
that referenced
this pull request
May 5, 2026
…on smoke test Three independently-motivated bug fixes in scripts/install.sh: 1. macOS Apple Silicon: AMFI rejects the release Mach-O at exec The lightpanda-aarch64-macos asset has a linker-signed ad-hoc signature without a CMS blob (`codesign -dv` shows flags=0x20002(adhoc,linker-signed)). AMFI on Apple Silicon enforces stricter requirements outside trusted prefixes; from /tmp or ~/.local/bin the kernel rejects it as 'Unrecoverable CT signature issue, bailing out' and SIGKILLs at exec. Re-signing locally with `codesign -s -` adds a CMS blob but AMFI then rejects with error -423 (adhoc signed by unknown chain). Verified empirically: same byte-identical Mach-O runs from /opt/homebrew/Cellar/lightpanda/.../bin/lightpanda but is SIGKILLed from /tmp/. Copying the broken curl-downloaded bytes INTO the brew path makes them run. So the trust is path-based, not byte-based. The Lightpanda brew formula does NOT build from source (verified via `brew cat`) — it just downloads the same Mach-O and runs `bin.install` to place it at /opt/homebrew/Cellar/.../bin/lightpanda, which AMFI exempts from the strict ad-hoc signature check. Reproducing on M3 Pro / macOS 14.x; should be uniform across Apple Silicon but not directly tested on M1/M2/M4. Intel macOS keeps the GitHub Release Mach-O path — Apple Silicon's stricter AMFI enforcement is arm64-specific and I don't have an Intel Mac to test. 2. Failed reruns destroy existing working binary SKILL.md documents reruns as the update path, but curl -L -o "$INSTALL_DIR/$BINARY_NAME" overwrites the install target during download. Atomic install via mktemp + verify + smoke-test + mv preserves the existing binary on any failure. 3. --version smoke test silently accepts broken binaries Lightpanda's CLI has no --version flag; running it logs '$msg=exit err=UnknownCommand' and exits 1. The current 2>/dev/null + --help fallback masks this, and the head -1 pipe at the end means it succeeds on broken binaries that produce no output. Use the 'version' subcommand and capture stderr to surface real diagnostics like 'GLIBC_2.32 not found' on failure. Smaller adjacent changes, each tightly motivated by the three above: - set -euo pipefail (was set -e); curl -fSL (was -sL/-L). pipefail + -f propagate curl HTTP errors through curl | jq, replacing the misleading 'could not retrieve checksum' message. - chmod 0755 instead of chmod a+x. Required because fix lightpanda-io#2 uses mktemp (0600); chmod a+x on top yields 0711 (owner-only readable). - Apple Silicon PATH-shadow warning. A user upgrading from a pre- this-PR version still has the rejected ~/.local/bin/lightpanda (the linker-signed Mach-O) which shadows the new working brew binary in PATH — without the warning they still get SIGKILL after a successful brew install. - LIGHTPANDA_DIR warning on Apple Silicon (brew owns the install path; the variable is silently ignored without this). - SKILL.md Install section: per-OS callout describing the flow split. Better long-term fix (out of scope for this PR): upstream-side, the build pipeline producing the GitHub Release assets should apply a proper ad-hoc signature with a CMS blob (or, better, Developer ID + notarization). The release Mach-O would then run from anywhere and this workaround wouldn't be needed. Intentionally not included (offered as follow-ups): - Optional $GITHUB_TOKEN for API quota - PATH-shadow check on the shared download flow - Upstream-side signing fix (separate repo)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.