Sandbox blocks Go TLS cert verification on macOS (gh CLI fails)
Summary
Go-based CLI tools (notably gh) fail with TLS certificate verification errors when running inside the Claude Code sandbox on macOS. Tools using libcurl (curl, git) work fine.
Error
Post "https://api.github.com/graphql": tls: failed to verify certificate: x509: OSStatus -26276
Root Cause
Go's crypto/x509 package on macOS uses Security.framework via cgo for certificate verification. This requires mach service calls (likely com.apple.SecurityServer). The Claude Code sandbox appears to block these mach services, causing the cert verification to fail with errSecInternalComponent (OSStatus -26276).
Reproduction
- Add
github.comandapi.github.comtosandbox.network.allowedDomains - Run
gh api /rate_limitin sandbox → TLS error - Run
curl -s https://api.github.com/rate_limitin sandbox → works (200) - Run
gh api /rate_limitwithdangerouslyDisableSandbox: true→ works
Impact
Any Go binary that uses cgo TLS (default on macOS) will fail in the sandbox. gh is the most common case. Workaround is dangerouslyDisableSandbox: true per command, but this bypasses all sandbox restrictions rather than just the mach service needed for TLS.
Environment
- macOS 15.3 (Darwin 25.2.0)
- Claude Code (latest)
- gh 2.67.0
Suggested Fix
Allow mach-lookup for Security.framework services in the sandbox profile, or provide a per-tool sandbox override in settings.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗