fix(build): sign all Mach-O binaries inside non-standard framework bundles (#1254)

TimeToBuildBob · web-flow · commit 0bfc97f8c027 · 2026-04-09T19:49:17.000+02:00
PyInstaller copies Python.framework contents as separate files rather than symlinks, so Python, Versions/Current/Python, and Versions/3.9/Python are distinct inodes. The previous fallback only signed the single $fw_name binary, leaving the Versions/ copies unsigned — causing Apple notarization to reject all three affected watcher bundles (~6 errors per watcher, ~18 total). Replace the single-binary fallback with a loop that finds all Mach-O files inside the framework via `find -type f | xargs file | grep Mach-O` and signs each via a temp-path copy (avoids the in-place "bundle format is ambiguous" error from codesign when the parent dir is a .framework). This fix was validated in CI on the #1252 PR branch (3e635e4): all platforms passed including both macOS Build Tauri jobs with notarization succeeding.
diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh
@@ -153,25 +153,28 @@ if [ -n "$APPLE_PERSONALID" ]; then
             --sign "$APPLE_PERSONALID" \
             "$fw" 2>&1) && echo "  Signed bundle: $fw" || {
             if echo "$sign_output" | grep -q "bundle format is ambiguous"; then
-                echo "  Note: $fw lacks standard bundle structure; signing main binary via temp copy"
-                fw_name="$(basename "${fw%.*}")"
-                fw_binary="$fw/$fw_name"
-                if [ -f "$fw_binary" ]; then
-                    # codesign refuses to sign Python.framework/Python in-place because
-                    # it sees the parent .framework dir and reports "bundle format is
-                    # ambiguous". Copy to a temp path outside any bundle directory,
-                    # sign there, then copy back. Code signatures are embedded in the
-                    # binary (not path-dependent), so the result is identical.
+                echo "  Note: $fw lacks standard bundle structure; signing all Mach-O binaries inside via temp copy"
+                # PyInstaller copies Python.framework contents as separate files rather
+                # than symlinks — Python, Versions/Current/Python, and Versions/3.9/Python
+                # are distinct inodes. Signing only $fw_name leaves the Versions/ copies
+                # unsigned, causing Apple notarization to reject every affected watcher.
+                # Sign every Mach-O file inside the framework via a temp-path copy to
+                # avoid the in-place "bundle format is ambiguous" error from codesign.
+                signed_count=0
+                while IFS= read -r fw_bin; do
+                    echo "    Signing framework binary via temp copy: $fw_bin"
                     tmp_binary=$(mktemp)
-                    cp "$fw_binary" "$tmp_binary"
-                    sign_binary "$tmp_binary"
-                    cp "$tmp_binary" "$fw_binary"
+                    cp "$fw_bin" "$tmp_binary"
+                    sign_binary "$tmp_binary" || { rm -f "$tmp_binary"; exit 1; }
+                    cp "$tmp_binary" "$fw_bin"
                     rm -f "$tmp_binary"
-                else
-                    echo "ERROR: Expected main binary not found at $fw_binary" >&2
-                    echo "  PyInstaller may have changed its output structure. Inspect $fw" >&2
+                    signed_count=$((signed_count + 1))
+                done < <(find "$fw" -type f | xargs file | grep "Mach-O" | cut -d: -f1)
+                if [ "$signed_count" -eq 0 ]; then
+                    echo "ERROR: No Mach-O binaries found inside $fw" >&2
                     exit 1
                 fi
+                echo "  Signed $signed_count Mach-O binary/binaries inside $fw"
             else
                 echo "ERROR: Failed to sign $fw: $sign_output" >&2
                 exit 1
