Skip to content

fix(build): sign all Mach-O binaries inside non-standard framework bundles #1252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
TimeToBuildBob wants to merge 1 commit into from
+18 −15
Closed

fix(build): sign all Mach-O binaries inside non-standard framework bundles #1252

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 18 additions & 15 deletions scripts/package/build_app_tauri.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,25 +153,28 @@ if [ -n "$APPLE_PERSONALID" ]; then
--sign "$APPLE_PERSONALID" \
"$fw" 2>&1) && echo " Signed bundle: $fw" || {
if echo "$sign_output" | grep -q "bundle format is ambiguous"; then
echo " Note: $fw lacks standard bundle structure; signing main binary via temp copy"
fw_name="$(basename "${fw%.*}")"
fw_binary="$fw/$fw_name"
if [ -f "$fw_binary" ]; then
# codesign refuses to sign Python.framework/Python in-place because
# it sees the parent .framework dir and reports "bundle format is
# ambiguous". Copy to a temp path outside any bundle directory,
# sign there, then copy back. Code signatures are embedded in the
# binary (not path-dependent), so the result is identical.
echo " Note: $fw lacks standard bundle structure; signing all Mach-O binaries inside via temp copy"
# PyInstaller copies Python.framework contents as separate files rather
# than symlinks — Python, Versions/Current/Python, and Versions/3.9/Python
# are distinct inodes. Signing only $fw_name leaves the Versions/ copies
# unsigned, causing Apple notarization to reject every affected watcher.
# Sign every Mach-O file inside the framework via a temp-path copy to
# avoid the in-place "bundle format is ambiguous" error from codesign.
signed_count=0
while IFS= read -r fw_bin; do
echo " Signing framework binary via temp copy: $fw_bin"
tmp_binary=$(mktemp)
cp "$fw_binary" "$tmp_binary"
sign_binary "$tmp_binary"
cp "$tmp_binary" "$fw_binary"
cp "$fw_bin" "$tmp_binary"
sign_binary "$tmp_binary" || { rm -f "$tmp_binary"; exit 1; }
cp "$tmp_binary" "$fw_bin"
rm -f "$tmp_binary"
else
echo "ERROR: Expected main binary not found at $fw_binary" >&2
echo " PyInstaller may have changed its output structure. Inspect $fw" >&2
signed_count=$((signed_count + 1))
done < <(find "$fw" -type f | xargs file | grep "Mach-O" | cut -d: -f1)
Copy link
Copy Markdown

@greptile-apps greptile-apps bot Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Temp-path signing may embed a wrong identifier in the code signature

codesign derives the bundle/binary identifier from the signing path when no --identifier flag is given. Signing at a mktemp path (/tmp/tmp.XXXXXX) causes the embedded Code Directory identifier to be something like tmp.XXXXXX rather than the original binary name (e.g. Python or whatever the CPython-signed identifier was). Apple's notarization service validates identifiers, so this could be a latent rejection vector.

The same pattern is inherited from the original #1251 code for the single-binary path — if it passed notarization then, this expansion should too — but it's worth confirming with an explicit --identifier flag in sign_binary invocations for this fallback path, e.g.:

bin_id="$(basename "$fw_bin")"
codesign --force --options runtime --timestamp \
    --entitlements "$ENTITLEMENTS" \
    --identifier "$bin_id" \
    --sign "$APPLE_PERSONALID" \
    "$tmp_binary"

Copy link
Copy Markdown

@greptile-apps greptile-apps bot Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 xargs file without -0 misparses filenames containing spaces

The pipeline find "$fw" -type f | xargs file | grep "Mach-O" | cut -d: -f1 splits on whitespace by default, so a Mach-O binary whose path contains a space would be passed to file as two arguments, producing wrong output (and potentially a spurious "no such file" error for the second token). The same pattern exists in Step 1's equivalent pipeline — this is pre-existing — but expanding it to more paths increases exposure. Consider find "$fw" -type f -print0 | xargs -0 file for robustness.

Suggested change
done < <(find "$fw" -type f | xargs file | grep "Mach-O" | cut -d: -f1)
done < <(find "$fw" -type f -print0 | xargs -0 file | grep "Mach-O" | cut -d: -f1)

if [ "$signed_count" -eq 0 ]; then
echo "ERROR: No Mach-O binaries found inside $fw" >&2
exit 1
fi
echo " Signed $signed_count Mach-O binary/binaries inside $fw"
else
echo "ERROR: Failed to sign $fw: $sign_output" >&2
exit 1
Expand Down
Loading