fix(build): sign non-standard framework binary via temp copy to avoid ambiguity (#1250)

TimeToBuildBob · web-flow · commit 93053d0857fd · 2026-04-09T11:38:27.000+02:00
codesign refuses to sign Python.framework/Python in-place when the binary is inside a .framework directory — it sees the directory context and reports 'bundle format is ambiguous (could be app or framework)'. The #1249 fallback correctly detected this case but then called sign_binary on the same path, which hits the same codesign check. Fix: copy the binary to a temp path outside any .framework dir, sign it there, then copy the signed binary back. Code signatures are embedded in the Mach-O binary (not path-dependent), so the result is identical. This should be the final fix needed to unblock the Build Tauri master CI and allow the Thursday 2026-04-09 12:00 UTC scheduled dev release to run.
diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh
@@ -153,11 +153,20 @@ if [ -n "$APPLE_PERSONALID" ]; then
             --sign "$APPLE_PERSONALID" \
             "$fw" 2>&1) && echo "  Signed bundle: $fw" || {
             if echo "$sign_output" | grep -q "bundle format is ambiguous"; then
-                echo "  Note: $fw lacks standard bundle structure; signing main binary inside directly"
+                echo "  Note: $fw lacks standard bundle structure; signing main binary via temp copy"
                 fw_name="$(basename "${fw%.*}")"
                 fw_binary="$fw/$fw_name"
                 if [ -f "$fw_binary" ]; then
-                    sign_binary "$fw_binary"
+                    # codesign refuses to sign Python.framework/Python in-place because
+                    # it sees the parent .framework dir and reports "bundle format is
+                    # ambiguous". Copy to a temp path outside any bundle directory,
+                    # sign there, then copy back. Code signatures are embedded in the
+                    # binary (not path-dependent), so the result is identical.
+                    tmp_binary=$(mktemp)
+                    cp "$fw_binary" "$tmp_binary"
+                    sign_binary "$tmp_binary"
+                    cp "$tmp_binary" "$fw_binary"
+                    rm -f "$tmp_binary"
                 else
                     echo "ERROR: Expected main binary not found at $fw_binary" >&2
                     echo "  PyInstaller may have changed its output structure. Inspect $fw" >&2
