Deploy with xcrun

[kzsh]

In my hello-world xtool app, I run:
xtool dev
I abort when it reaches waiting for device.
(EDIT: xtool dev build is the command I should have used)

I rsync the foo app to a mac machine.
rsync -r linux-machine/foo/tool/foo.app mac-machine:/some/dir/foo.app

And then try deploying it to my person device.

xcrun devicectl device install app \
  --device <DEVICE-UUID> \
  /some/dir/foo.app

I get as far as:

Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.oGEYUE/extracted/foo.app

Does anyone know off the top of their head how I might sign an xtool build or stage a signature in the appropriate place to allow sign a deployment?

EDIT: Clearly the app I `rsync'ed over is not signed:

$ codesign -dv --verbose=4 foo.app
foo.app: code object is not signed at all

Context:

• I can already use the xcode app on my mac to build and deploy apps made in xcode to this device
• I have successfully deployed via usb using xtool dev without the mac-machine.
• I will try using xcrun to deploy an app built by xcode to try to eliminate the possibility that it's not xtool relsted, and update here.
  EDIT: I can deploy apps built in xcode with xcrun devicectl install app.

  $ cat device-install.logs 
  10:44:35  Acquired tunnel connection to device.
  10:44:35  Enabling developer disk image services.
  10:44:35  Acquired usage assertion.
  App installed:
    • bundleID: com.example.HelloWorld
    • installationURL: file:///private/var/containers/Bundle/Application/{UUID}/HelloWorld.app/
    • launchServicesIdentifier: unknown
    • databaseUUID: {UUID}
    • databaseSequenceNumber: {number}
    • options: 
      {nothing was printed here}
  

[kzsh]

It is possible to sign a built app using Apple cli tools.
To identify the signature name
security find-identity -v -p codesigning
(used to get "Developer ID Application: Some Name (ABCD1234)")

So far as I could tell, unlocking the keychain prior to running codesign was not sufficient for it to succeed.

Instead I permitted codesign access to the keychain:
security set-key-partition-list -S apple-tool:,apple:,codesign: -s ~/Library/Keychains/login.keychain-db > /dev/null

After which the following worked:
codesign --options runtime --deep --sign "Developer ID Application: Some Name (ABCD1234)" --keychain ~/Library/Keychains/login.keychain-db ./foo.app

And the result of the vertification command showed a signature instead of some variant of 'not signed'.
codesign -dv --verbose=4 foo.app

And the deploy steps with xcrun worked.

This is a 'working' path, but raises other questions:

1. whether or not I missed an opportunity to have xtool sign things for me.
2. Should I be granting codesign access to my keychain in the way described above?