OpenAI macOS signing issue
OpenAI disclosed a supply‑chain compromise affecting macOS app signing via the Axios library and revoked affected certificates, warning users to update ChatGPT, Codex and Atlas by May 8 or the apps may fail. The disclosure says the certificate revocation and update are required to avoid impacted macOS app behavior (x.com).
OpenAI said macOS users must update ChatGPT, Codex and Atlas after a compromised developer tool touched the company’s app-signing process. (openai.com) On April 10, 2026, OpenAI said a GitHub Actions workflow used to sign its Mac apps downloaded a malicious version of Axios, version 1.14.1, on March 31, 2026 Coordinated Universal Time. That workflow had access to the certificate and notarization material used for ChatGPT Desktop, Codex App, Codex CLI and Atlas. (openai.com) A signing certificate is the digital ID that tells macOS an app really came from its claimed developer. OpenAI said it found no evidence that user data was accessed, its systems or intellectual property were compromised, or its software was altered. (openai.com) OpenAI said its analysis suggests the certificate was “likely not successfully exfiltrated,” but it is revoking and rotating the certificate anyway. The company said that step is meant to block any attempt to distribute a fake app that appears to come from OpenAI. (openai.com) The deadline is May 8, 2026. After that date, OpenAI said older versions of its macOS desktop apps will no longer receive updates or support and may stop functioning. (openai.com) OpenAI listed the earliest safe Mac releases signed with the new certificate as ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex CLI 0.119.0 and Atlas 1.2026.84.2. The company said users can update through the apps themselves or through official OpenAI download links. (openai.com) The change lands as OpenAI has already been tightening certificate-related behavior in its Mac software. The ChatGPT macOS release notes say the company “phased out certificate pinning exceptions” in an update posted February 13, 2026. (help.openai.com) OpenAI said it hired a third-party digital forensics and incident response firm, reviewed software notarizations tied to the old certificate, and worked with Apple so software signed with the previous certificate cannot be newly notarized. For Mac users, the practical effect is simpler: update before May 8 or risk losing a working OpenAI app. (openai.com)
