codex - 💡(How to fix) Fix macOS npm alpha 0.125.0-alpha.1 is killed by AMFI due to new keychain entitlements [2 comments, 3 participants]

What version of Codex CLI is running?

codex-cli 0.125.0-alpha.1

Installed via:

npm install -g @openai/codex@alpha

npm ls -g --depth=0 @openai/codex reports:

/opt/homebrew/lib
└── @openai/[email protected]

What subscription do you have?

N/A. The binary is killed before auth, config, model selection, or startup can run.

Which model were you using?

N/A. The binary is killed before startup.

What platform is your computer?

Darwin 25.2.0 arm64 arm

What terminal emulator and version are you using, if applicable?

Reproduces outside the interactive TUI path. I reproduced it through zsh, the npm launcher, and direct invocation of the platform binary. The process exits before terminal-specific behavior matters.

What issue are you seeing?

After updating to the latest npm alpha, codex is killed immediately on macOS. Even lightweight commands like codex --version and codex --help fail before printing anything.

Shell-level reproduction shows exit 137:

zsh -lc 'codex --version; printf "exit=%s\n" "$?"'
# exit=137

The same happens when invoking the Darwin arm64 platform binary directly:

zsh -lc '/opt/homebrew/lib/node_modules/@openai/codex/node_modules/@openai/codex-darwin-arm64/vendor/aarch64-apple-darwin/codex/codex --version; printf "exit=%s\n" "$?"'
# exit=137

macOS logs point to AMFI rejecting the binary because of restricted entitlements:

amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found"
amfid: .../codex not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found"
kernel: AMFI: bailing out because of restricted entitlements.
kernel: Code has restricted entitlements, but the validation of its code signature failed.
kernel: proc ...: load code signature error 4 for file "codex"

The signed 0.125.0-alpha.1 Darwin arm64 binary contains these entitlements:

com.apple.application-identifier = 2DC432GLL2.com.openai.codex
com.apple.developer.team-identifier = 2DC432GLL2
com.apple.security.cs.allow-jit = true
keychain-access-groups = [2DC432GLL2.com.openai.codex]

By comparison, the previous Darwin arm64 artifacts I checked only carry com.apple.security.cs.allow-jit.

What steps can reproduce the bug?

1. On macOS arm64, install the current alpha:

   npm install -g @openai/codex@alpha

2. Run:

   codex --version

3. Observe the process being killed with exit 137.

4. Check system logs:

   /usr/bin/log show --last 30m --style compact --predicate '(eventMessage CONTAINS[c] "No matching profile found" OR eventMessage CONTAINS[c] "restricted entitlements" OR eventMessage CONTAINS[c] "load code signature error 4")'

I also ruled out local config by running the unpacked npm artifacts with a clean environment and temp HOME / CODEX_HOME:

# 0.124.0 Darwin arm64 artifact
codex-cli 0.124.0
exit_124=0

# 0.125.0-alpha.1 Darwin arm64 artifact
exit_125=137

The 0.125.0-alpha.1 installed binary and the clean npm tarball binary have the same SHA256:

6e32ee4f294afd0eb897f695b71fa56a7ce1d0949a44317ac3ef0e6eaeb16228

What is the expected behavior?

codex --version, codex --help, and the interactive CLI should launch normally after installing @openai/codex@alpha from npm.

Additional information

This looks related to PR #19167, ci: add macOS keychain entitlements, which changed .github/actions/macos-code-sign/codex.entitlements.plist from only:

<key>com.apple.security.cs.allow-jit</key>
<true/>

to also include:

<key>com.apple.application-identifier</key>
<string>2DC432GLL2.com.openai.codex</string>
<key>com.apple.developer.team-identifier</key>
<string>2DC432GLL2</string>
<key>keychain-access-groups</key>
<array>
  <string>2DC432GLL2.com.openai.codex</string>
</array>

That change is present in rust-v0.125.0-alpha.1, and the 0.125.0-alpha.1 npm Darwin arm64 artifact is the first artifact I found where the standalone CLI binary has those restricted entitlements.

This is adjacent to #17447, but appears to be a narrower npm alpha regression rather than the Homebrew cask/quarantine/provenance issue described there.

Local workaround:

codesign --force --sign - /opt/homebrew/lib/node_modules/@openai/codex/node_modules/@openai/codex-darwin-arm64/vendor/aarch64-apple-darwin/codex/codex

After ad-hoc re-signing, codex --version, codex --help, and codex --yolo launch normally. That removes the restricted entitlements locally, so it is only a workaround. The likely fix is to avoid applying restricted keychain access-group entitlements to standalone npm CLI binaries unless the release signing/provisioning path validates them for direct execution.