Sandbox breaks TLS for Go binaries using macOS Security.framework (gh, brew, etc.)
Resolved 💬 3 comments Opened Apr 14, 2026 by sbcatania Closed Apr 18, 2026
Bug description
As of Claude Code v2.1.107, the command sandbox breaks TLS certificate verification for Go binaries that use the macOS Security.framework for TLS (e.g. gh, brew). Commands like curl that use LibreSSL/OpenSSL continue to work fine.
Error
$ gh auth status
Get "https://api.github.com/user": tls: failed to verify certificate: x509: OSStatus -26276
OSStatus -26276 is errSecInvalidCertAuthority — the Security.framework cannot verify the certificate chain, likely because the sandbox restricts keychain or Security.framework API access.
Reproduction
- Install
ghvia Homebrew on macOS - Authenticate normally (
gh auth login) - Open Claude Code v2.1.107
- Run any
ghcommand (e.g.gh auth status,gh api user) - Observe TLS failure
Key observations
curlworks fine (uses LibreSSL, not Security.framework)ghfails (Go binary, links againstSecurity.frameworkfor TLS)brew infoalso fails to fetch from APIs (same root cause)otool -L /opt/homebrew/bin/ghconfirms it links against/System/Library/Frameworks/Security.framework/Versions/A/Security- Setting
SSL_CERT_FILEdoes not help because Go ignores it when using the native macOS TLS backend - Unsetting proxy env vars (
HTTPS_PROXY, etc.) does not help - The issue started today with the update to v2.1.107;
ghv2.89.0 (installed April 6) was working in previous Claude Code versions
Environment
- macOS 26.4.1 (Darwin 25.4.0, arm64)
- Claude Code v2.1.107
- gh v2.89.0 (Homebrew)
Workaround
Using curl directly against APIs works since it does not use Security.framework. No practical workaround exists for gh itself within the sandbox.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗