From b36052994f0be195da327c42c24bdc0d595f34a7 Mon Sep 17 00:00:00 2001
From: Patryk Radziszewski <patryk@chef.ski>
Date: Tue, 24 Feb 2026 19:57:26 +0000
Subject: [PATCH] fix: strip keychain-access-groups entitlement in release
 builds

The release build was being killed by AMFI on macOS 15.7+ because it
shipped with a keychain-access-groups entitlement but no provisioning
profile to validate it. The dev build already strips this entitlement
when no profile is present. This aligns the release build default.

Closes #27, closes #29, closes #34
---
 Scripts/sign-and-notarize.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Scripts/sign-and-notarize.sh b/Scripts/sign-and-notarize.sh
index 6c17bf39..54d2633d 100755
--- a/Scripts/sign-and-notarize.sh
+++ b/Scripts/sign-and-notarize.sh
@@ -52,7 +52,7 @@ if [[ -z "$APP_BUNDLE" ]]; then
 fi
 
 echo "Signing with $APP_IDENTITY"
-export REPOBAR_SKIP_KEYCHAIN_GROUPS="${REPOBAR_SKIP_KEYCHAIN_GROUPS:-0}"
+export REPOBAR_SKIP_KEYCHAIN_GROUPS="${REPOBAR_SKIP_KEYCHAIN_GROUPS:-1}"
 ./Scripts/codesign_app.sh "$APP_BUNDLE" "$APP_IDENTITY"
 
 DITTO_BIN=${DITTO_BIN:-/usr/bin/ditto}