Remote daemon (~/.claude/remote/server) ships adhoc-codesigned, breaks Keychain partition-list ACLs on auto-update

Resolved 💬 1 comment Opened Apr 26, 2026 by rjlg Closed May 28, 2026

Summary

The ~/.claude/remote/server daemon ships adhoc-codesigned (Signature=adhoc, Identifier=a.out, TeamIdentifier=not set), which silently breaks macOS Keychain partition-list ACLs whenever the daemon binary is replaced by an auto-update. The sibling ccd-cli binary in the same directory is properly Developer-ID signed under Anthropic PBC (Q6L2SF6YDW), so this looks like a build-pipeline gap rather than an intentional choice.

Diagnosis

codesign -dvvv ~/.claude/remote/server (Apr 26 2026 build, mtime 16:11 PT):

Executable=/Users/nabu/.claude/remote/server
Identifier=a.out
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=45950 flags=0x20002(adhoc,linker-signed) hashes=1433+0 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none

codesign -dvvv ~/.claude/remote/ccd-cli/2.1.119 for comparison:

Executable=/Users/nabu/.claude/remote/ccd-cli/2.1.119
Identifier=com.anthropic.claude-code
Format=Mach-O thin (arm64)
CodeDirectory v=20500 size=1654533 flags=0x10000(runtime) hashes=51693+7 location=embedded
Signature size=9046
Authority=Developer ID Application: Anthropic PBC (Q6L2SF6YDW)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=24 Apr 2026 at 7:02:27 am
Info.plist entries=3
TeamIdentifier=Q6L2SF6YDW
Runtime Version=14.5.0

macOS Keychain walks the calling chain when evaluating partition trust. The adhoc daemon at the root of the chain causes the call to be treated as unsigned: partition, even though every binary closer to /usr/bin/security is properly Apple- or Developer-ID-signed:

my-command  ->  /bin/zsh (Apple-signed)
                    ^ called by
                ~/.claude/remote/ccd-cli/<version>  (Developer ID: Anthropic Q6L2SF6YDW, OK)
                    ^ called by
                ~/.claude/remote/server  (Signature=adhoc, root of chain)

Reproduction

  1. Add a generic-password keychain item with a restrictive partition list:

``bash
security add-generic-password \
-s "test-token" -a "test-account" -w "TESTVALUE"
security set-generic-password-partition-list \
-s "test-token" -a "test-account" \
-S "apple-tool:,apple:" \
-k "$LOGIN_PASSWORD"
``

  1. From inside Claude Code's bash tool, run:

``bash
/usr/bin/security find-generic-password -s "test-token" -a "test-account" -w
``

  1. Observe exit code 36 (errSecAuthFailed), no value returned.
  2. Run the same command from a non-Claude-Code interactive Terminal session: succeeds.

Impact

Users who run automation through Claude Code's bash tool that depends on Keychain-stored secrets (e.g., commit signing via 1Password service-account tokens, headless OAuth, etc.) experience silent breakage every time the daemon is auto-updated. The only workaround today is adding unsigned: to every affected keychain item's partition list, which broadens the ACL to permit any unsigned binary on the user's system, weakening security posture.

Expected behaviour

~/.claude/remote/server should ship Developer-ID signed under Anthropic PBC (Q6L2SF6YDW), matching the sibling ccd-cli binary. That way:

  • Existing partition lists with apple: and developer-id: entries continue to work across daemon updates.
  • Users don't need to maintain ACL workarounds.
  • Codesigning provides supply-chain integrity guarantees that are missing from adhoc / linker-signed.

Environment

  • macOS: 26.4.1
  • Claude Code version: 2.1.119 (latest at time of filing; release dated 2026-04-23)
  • Daemon mtime: Apr 26 2026 16:11 PT
  • Earlier daemon builds (pre Apr 26) worked correctly with apple-tool:,apple: partitions on the same machine, suggesting this is a regression in the Apr 26 daemon drop bundled with 2.1.119.

Workaround in place

Per-item partition list expanded to include unsigned::

security set-generic-password-partition-list \
  -a "<account>" -s "<service>" \
  -S "apple-tool:,apple:,unsigned:"

Will rescind once the daemon is properly signed.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗