malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(identity-wallet): disable Xcode user script sandboxing on macOS 26

ENABLE_USER_SCRIPT_SANDBOXING=YES (Xcode 14+ default) wraps Run Script
build phases in sandbox-exec. On macOS 26 (Tahoe), this blocks Cargo's
readdir() during package fingerprinting, causing:
Failed to update the excludes stack to see if a path is excluded

Patch project.pbxproj after cargo tauri ios init with the sed one-liner
documented in CLAUDE.md. Also commits the Cargo.lock update that was
missing from the swift-rs patch commit (removes crates.io source/checksum
for the now-locally-patched swift-rs 1.0.7).

authored by

Malpercio and committed by
Tangled 57877ef8 d201e889

+30 -2
-2
Cargo.lock
··· 5127 5127 [[package]] 5128 5128 name = "swift-rs" 5129 5129 version = "1.0.7" 5130 - source = "registry+https://github.com/rust-lang/crates.io-index" 5131 - checksum = "4057c98e2e852d51fdcfca832aac7b571f6b351ad159f9eda5db1655f8d0c4d7" 5132 5130 dependencies = [ 5133 5131 "base64 0.21.7", 5134 5132 "serde",
+30
apps/identity-wallet/CLAUDE.md
··· 112 112 113 113 This step is required once per `cargo tauri ios init` run. 114 114 115 + ### Disable user script sandboxing (one-time manual step after `cargo tauri ios init`) 116 + 117 + Xcode 14+ sets `ENABLE_USER_SCRIPT_SANDBOXING = YES` in generated projects, which wraps Run Script build phases in `sandbox-exec`. On macOS 26 (Tahoe), this blocks Cargo's directory walk (package fingerprinting) with: 118 + 119 + ``` 120 + Failed to update the excludes stack to see if a path is excluded 121 + ``` 122 + 123 + After regenerating `src-tauri/gen/`, run: 124 + 125 + ```bash 126 + sed -i '' 's/ENABLE_USER_SCRIPT_SANDBOXING = YES/ENABLE_USER_SCRIPT_SANDBOXING = NO/g' \ 127 + src-tauri/gen/apple/identity-wallet.xcodeproj/project.pbxproj 128 + ``` 129 + 130 + This step is required once per `cargo tauri ios init` run. 131 + 115 132 ### Why rustup instead of Nix-managed Rust 116 133 117 134 `languages.rust` in devenv uses Nix's `rust-default` package, which only ships stdlibs for standard host targets. iOS Simulator requires `aarch64-apple-ios-sim` stdlib. Nix doesn't package iOS cross-compilation stdlibs; `rustup` downloads them from the Rust release infrastructure. The dev shell is configured with project-local `RUSTUP_HOME` and `CARGO_HOME` (inside `.devenv/state/`) so the toolchain is isolated per project. ··· 251 268 After running `cargo tauri ios init`, the generated `project.pbxproj` build script has the system PATH which doesn't include the Nix dev shell or rustup-managed cargo. 252 269 253 270 **Fix:** See "Xcode build phase PATH" in the First-Time Setup section above. Patch `project.pbxproj` to prepend `.devenv/state/cargo/bin` and `.devenv/profile/bin`. 271 + 272 + --- 273 + 274 + ### `Failed to update the excludes stack to see if a path is excluded` (Xcode user script sandbox) 275 + 276 + Xcode 14+ enables `ENABLE_USER_SCRIPT_SANDBOXING=YES` by default in generated projects, wrapping Run Script build phases in `sandbox-exec`. On macOS 26 (Tahoe), this sandbox blocks Cargo's `readdir()` calls during package fingerprinting, producing: 277 + 278 + ``` 279 + error: failed to determine package fingerprint for build script for identity-wallet v0.1.0 280 + Caused by: Failed to update the excludes stack to see if a path is excluded 281 + ``` 282 + 283 + **Fix:** See "Disable user script sandboxing" in the First-Time Setup section. Run the `sed` one-liner against `project.pbxproj` after each `cargo tauri ios init`.