[BUG] macOS sandbox blocks Security.framework TLS verification, breaking Go binaries (gh, terraform, etc.)

Open 💬 8 comments Opened Feb 5, 2026 by connorjbeatty

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Bug Description

When sandbox mode is enabled via managed-settings.json, any Go-based CLI tool (gh, terraform, kubectl, aws-cli, etc.) fails with:
tls: failed to verify certificate: x509: OSStatus -26276

Root Cause

Go on macOS uses cgo to call Security.framework for TLS certificate verification. The sandbox blocks these syscalls. Python (which uses OpenSSL) works fine in the same sandbox.

Evidence

  • gh api user inside sandbox → x509 error
  • python3 urllib.request.urlopen('https://api.github.com') inside sandbox → works
  • gh api user outside sandbox → works
  • Disabling sandbox → gh works
  • Setting SSL_CERT_FILE, GIT_SSL_CAINFO, copying certs locally → still fails
  • Using GH_TOKEN env var (bypassing keyring) → still fails
  • Zscaler disabled → still fails
  • Removing network settings from managed-settings.json → still fails

What Should Happen?

Go binaries should be able to verify TLS certificates when making HTTPS requests to allowed domains.

Error Messages/Logs

Error: Exit code 1
     Get "https://api.github.com/user": tls: failed to verify certificate: x509: OSStatus -26276

Steps to Reproduce

Reproduction Steps

  1. Enable sandbox in managed-settings.json with "enabled": true
  2. Add api.github.com to allowedDomains
  3. Run gh api user inside Claude Code

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.31 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Suggested Fix

Either allowlist Security.framework syscalls for TLS verification in the sandbox profile, or automatically set SSL_CERT_FILE to a bundled/accessible cert store for sandboxed processes.

View original on GitHub ↗

This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗