fix(build): preserve binary identifier when signing via temp-path copy (#1255)

TimeToBuildBob · web-flow · commit 88eadfb1d9c1 · 2026-04-09T22:07:41.000+02:00
* fix(build): preserve binary identifier when signing via temp-path copy

The temp-path codesign workaround for non-standard Python.framework bundles
signed each binary without --identifier, so codesign derived the identifier
from the random temp filename (e.g. 'tmp.XXXXXX'). Apple's notarization
service then rejected those binaries with 'The signature of the binary is
invalid' -- the certificate chain and code hashes are valid, but the
identifier doesn't match what the binary originally carried.

Fix: extract the existing identifier from the binary (set by PyInstaller's
codesign_identity step, typically 'org.python.python') before copying to
the temp path, then pass --identifier to the codesign invocation. Falls
back to basename if the binary is unsigned.

* fix(build): address P2 review findings — use sed for identifier extraction, clean up temp on cp failure
diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh
@@ -163,10 +163,28 @@ if [ -n "$APPLE_PERSONALID" ]; then
                 signed_count=0
                 while IFS= read -r fw_bin; do
                     echo "    Signing framework binary via temp copy: $fw_bin"
+                    # Preserve the binary's existing code-signing identifier.
+                    # Without --identifier, codesign uses the random temp filename
+                    # (e.g. "tmp.XXXXXX") as the identifier, which makes Apple's
+                    # notarization service report "The signature of the binary is
+                    # invalid" — even though the certificate chain and code hashes
+                    # are valid. Using the original identifier (e.g. "org.python.python"
+                    # from PyInstaller's codesign_identity step) or falling back to the
+                    # binary's filename avoids this rejection.
+                    existing_id=$(codesign -d "$fw_bin" 2>&1 \
+                        | sed -n 's/^Identifier=//p' || true)
+                    if [ -z "$existing_id" ]; then
+                        existing_id=$(basename "$fw_bin")
+                    fi
+                    echo "      Using identifier: $existing_id"
                     tmp_binary=$(mktemp)
                     cp "$fw_bin" "$tmp_binary"
-                    sign_binary "$tmp_binary" || { rm -f "$tmp_binary"; exit 1; }
-                    cp "$tmp_binary" "$fw_bin"
+                    codesign --force --options runtime --timestamp \
+                        --entitlements "$ENTITLEMENTS" \
+                        --identifier "$existing_id" \
+                        --sign "$APPLE_PERSONALID" \
+                        "$tmp_binary" || { rm -f "$tmp_binary"; exit 1; }
+                    cp "$tmp_binary" "$fw_bin" || { rm -f "$tmp_binary"; exit 1; }
                     rm -f "$tmp_binary"
                     signed_count=$((signed_count + 1))
                 done < <(find "$fw" -type f | xargs file | grep "Mach-O" | cut -d: -f1)
