OpenAI has said macOS users must update its desktop apps after identifying a security issue linked to a third-party developer tool used in its app-signing process. The company said the issue was part of a broader industry incident and confirmed there is no evidence of user data exposure, software tampering or system compromise. As a precaution, OpenAI is rotating its security certificates and requiring users to move to updated versions of its Mac apps, including ChatGPT, Codex, Codex CLI and Atlas.
What happened
This workflow had access to code-signing and notarisation materials used to verify that apps such as ChatGPT Desktop, Codex, Codex CLI and Atlas are legitimate OpenAI software. While the company said its analysis suggests the certificate was likely not exfiltrated due to multiple mitigating factors, it is treating the certificate as potentially compromised.
What users need to do
OpenAI said macOS users must update their apps to the latest versions to ensure they are running software signed with a new security certificate. The update is required for apps including ChatGPT Desktop, Codex, Codex CLI and Atlas, and can be done via in-app updates or official download pages.
The company also warned users to avoid installing OpenAI apps from third-party sources, including links shared via emails, messages or ads as part of efforts to prevent the distribution of fake apps.
OpenAI also said that from May 8, 2026, older versions of its macOS apps will no longer receive updates or support and may stop functioning. The earliest supported versions after this change include ChatGPT Desktop version 1.2026.051, Codex App version 26.406.40811, Codex CLI version 0.119.0 and Atlas version 1.2026.84.2.
The company added that once the previous certificate is fully revoked, macOS security protections will block new downloads or launches of apps signed with the old certificate.
No impact on user data, other platforms
OpenAI said it found no evidence that user data, passwords or API keys were compromised. It also confirmed that the issue only affects macOS apps and does not impact iOS, Android, Windows, Linux or web versions of its services.
The company said it has released new app builds with updated certificates, reviewed past software notarisation activity and is working with Apple to prevent further use of the old certificate.
