Adguard Home is not signed on Mac after installation

[TNOTA]

Prerequisites

• [x] I have checked the Wiki and Discussions and found no answer

• [x] I have searched other issues and found no duplicates

• [x] I want to report a bug and not ask a question or ask for help

• [x] I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Darwin (aka macOS), AMD64 (aka x86_64)

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

v0.107.56

Action

Adguard Home failing to work behind Mac firewall on Sequoia despite being in the list of Allowed apps. macOS will not allow apps that are not signed to pass data through the firewall even if in the list.

I solved it by code signing the app and then adding the app back into the list of allowed apps in the firewall.

codesign --force --deep --sign - /Applications/AdGuardHome/AdGuardHome

Expected result

DNS resolution should continue, access to the UI should continue to work

Actual result

Once the firewall is activated Adguard Home no longer functions. DNS stops, UI is not reachable.

Additional information and/or screenshots

Can Adguard Home be signed during the install or update process? Each update requires the app to be signed again.

[geofflittle]

I’m hitting the same problem on macOS. After installing AdGuard Home with -s install, trying to start the service via -s start fails with:

Failed to start AdGuard Home service: "launchctl" failed with stderr: Load failed: 5: Input/output error
Try running `launchctl bootstrap` as root for richer errors.

Running launchctl bootstrap system /Library/LaunchDaemons/AdGuardHome.plist directly gives the same Bootstrap failed: 5: Input/output error.

Logs suggest this is a code signing issue:

(AppleMobileFileIntegrity) AMFI: '/Applications/AdGuardHome/AdGuardHome' has no CMS blob?
(AppleMobileFileIntegrity) AMFI: '/Applications/AdGuardHome/AdGuardHome': Unrecoverable CT signature issue, bailing out.

Plist validation passes (plutil -lint says OK), and file paths and permissions are correct. The binary just appears unsigned and macOS refuses to load it via launchd.

Temporarily resolved by signing it manually:

sudo codesign --force --deep --sign - /Applications/AdGuardHome/AdGuardHome

After that, launchctl bootstrap works fine.

Seems like the distributed binary for macOS needs to be signed to be compatible with launchd on newer macOS versions.