Sandbox blocks Go TLS cert verification on macOS (gh CLI fails)

Open 💬 5 comments Opened Feb 28, 2026 by paulnsorensen

Summary

Go-based CLI tools (notably gh) fail with TLS certificate verification errors when running inside the Claude Code sandbox on macOS. Tools using libcurl (curl, git) work fine.

Error

Post "https://api.github.com/graphql": tls: failed to verify certificate: x509: OSStatus -26276

Root Cause

Go's crypto/x509 package on macOS uses Security.framework via cgo for certificate verification. This requires mach service calls (likely com.apple.SecurityServer). The Claude Code sandbox appears to block these mach services, causing the cert verification to fail with errSecInternalComponent (OSStatus -26276).

Reproduction

  1. Add github.com and api.github.com to sandbox.network.allowedDomains
  2. Run gh api /rate_limit in sandbox → TLS error
  3. Run curl -s https://api.github.com/rate_limit in sandbox → works (200)
  4. Run gh api /rate_limit with dangerouslyDisableSandbox: true → works

Impact

Any Go binary that uses cgo TLS (default on macOS) will fail in the sandbox. gh is the most common case. Workaround is dangerouslyDisableSandbox: true per command, but this bypasses all sandbox restrictions rather than just the mach service needed for TLS.

Environment

  • macOS 15.3 (Darwin 25.2.0)
  • Claude Code (latest)
  • gh 2.67.0

Suggested Fix

Allow mach-lookup for Security.framework services in the sandbox profile, or provide a per-tool sandbox override in settings.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗