fix(build): replace codesign --deep with inside-out per-binary signing for notarization (#1246)

TimeToBuildBob · web-flow · commit a41abfbd99e2 · 2026-04-08T15:25:26.000+02:00
* fix(build): replace codesign --deep with inside-out per-binary signing codesign --deep fails to reliably sign all nested Mach-O binaries in PyInstaller-built watcher bundles (aw-watcher-window/input/afk each embed hundreds of .dylib/.so files and Python.framework with symlinks). Apple's notarization log showed 502 rejections: - 248 missing secure timestamps - 239 binaries not signed with valid Developer ID certificate - 9 invalid signatures (Python.framework symlink issue) Fix: sign every Mach-O binary individually using `file | grep Mach-O`, working inside-out (leaves → .framework bundles → top-level .app), with --timestamp on every codesign call as required by notarization. Also add --timestamp to the DMG codesign step in both build.yml and build-tauri.yml, which was also missing. Reported in ErikBjare/bob#546 via xcrun notarytool log analysis. * fix(build): address Greptile P2 suggestions — xargs batching and bundle type coverage - Batch Mach-O file detection with `xargs file` (O(1) subprocess calls vs O(n)) for large PyInstaller bundles with hundreds of dylib/so files - Extend bundle signing step to cover .bundle and .plugin directories in addition to .framework, preventing missing CodeResources catalog seals that can trigger notarytool bundle-integrity warnings
diff --git a/.github/workflows/build-tauri.yml b/.github/workflows/build-tauri.yml
@@ -157,7 +157,7 @@ jobs:
           make dist/ActivityWatch.dmg
 
           if [ -n "$APPLE_EMAIL" ]; then
-            codesign --verbose -s ${APPLE_PERSONALID} dist/ActivityWatch.dmg
+            codesign --force --verbose --timestamp -s ${APPLE_PERSONALID} dist/ActivityWatch.dmg
 
             brew install akeru-inc/tap/xcnotary
             xcnotary precheck dist/ActivityWatch.app
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -168,7 +168,7 @@ jobs:
 
         # codesign and notarize
         if [ -n "$APPLE_EMAIL" ]; then
-          codesign --verbose -s ${APPLE_PERSONALID} dist/ActivityWatch.dmg
+          codesign --force --verbose --timestamp -s ${APPLE_PERSONALID} dist/ActivityWatch.dmg
 
           # Run prechecks
           brew install akeru-inc/tap/xcnotary
diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh
@@ -95,11 +95,51 @@ echo "Creating PkgInfo..."
 echo "APPL????" > "dist/${APP_NAME}.app/Contents/PkgInfo"
 
 if [ -n "$APPLE_PERSONALID" ]; then
-    echo "Signing app with identity: $APPLE_PERSONALID"
-    # Hardened runtime is required for notarization prechecks on macOS.
-    # The Tauri bundle still embeds PyInstaller-built helpers from dist/activitywatch/,
-    # so keep the existing entitlements that those binaries need under hardened runtime.
-    codesign --deep --force --options runtime --entitlements scripts/package/entitlements.plist --sign "$APPLE_PERSONALID" "dist/${APP_NAME}.app"
+    echo "Signing app with identity: $APPLE_PERSONALID (inside-out, per-binary)"
+    # codesign --deep is unreliable for bundles with PyInstaller helpers:
+    # it doesn't reach all nested dylibs/so files and mishandles Python.framework
+    # symlinks, leaving hundreds of binaries unsigned or invalidly signed.
+    # The correct approach is inside-out: sign all Mach-O leaves first,
+    # then .framework bundles, then the top-level .app last.
+    # --timestamp is required for notarization (Apple rejects submissions without it).
+    ENTITLEMENTS="scripts/package/entitlements.plist"
+
+    sign_binary() {
+        echo "  Signing: $1"
+        codesign --force --options runtime --timestamp \
+            --entitlements "$ENTITLEMENTS" \
+            --sign "$APPLE_PERSONALID" \
+            "$1"
+    }
+
+    # Step 1: Sign all Mach-O binary files (dylibs, .so files, standalone executables).
+    # Use `xargs file` to batch all type queries in O(1) subprocess calls instead of
+    # one `file` invocation per binary (PyInstaller bundles can contain hundreds of files).
+    # Sort by path length descending so deeper binaries are signed before shallower containers.
+    echo "  Signing Mach-O binary files..."
+    while IFS= read -r f; do
+        sign_binary "$f"
+    done < <(find "dist/${APP_NAME}.app" -type f \
+        | xargs file \
+        | grep "Mach-O" \
+        | cut -d: -f1 \
+        | awk '{ print length, $0 }' | sort -rn | cut -d' ' -f2-)
+
+    # Step 2: Sign bundle directories (.framework, .bundle, .plugin) after their contents.
+    # Deepest bundles first (sort by path length descending) to maintain inside-out order.
+    # .bundle/.plugin coverage prevents missing CodeResources catalog seals that can
+    # trigger notarytool bundle-integrity warnings.
+    echo "  Signing bundle directories (.framework, .bundle, .plugin)..."
+    while IFS= read -r fw; do
+        sign_binary "$fw"
+    done < <(find "dist/${APP_NAME}.app" -type d \
+        \( -name "*.framework" -o -name "*.bundle" -o -name "*.plugin" \) \
+        | awk '{ print length, $0 }' | sort -rn | cut -d' ' -f2-)
+
+    # Step 3: Sign the top-level .app bundle last.
+    echo "  Signing top-level .app bundle..."
+    sign_binary "dist/${APP_NAME}.app"
+
     echo "App signing complete."
 else
     echo "APPLE_PERSONALID not set. Skipping code signing."
