fix(build): skip framework main binaries in codesign Step 1 to avoid ambiguity error (#1247)

The inside-out signing loop from #1246 signs ALL Mach-O files in Step 1,
then .framework bundles in Step 2. But Python.framework/Python is both a
Mach-O binary AND the main binary of a .framework bundle — codesign errors
with "bundle format is ambiguous (could be app or framework)" when it's
signed as a standalone file.

Fix: Skip files whose parent directory is a .framework, .bundle, or .plugin
in Step 1. These are correctly signed as part of their bundle in Step 2.

Also extends Step 2 to cover .bundle and .plugin directories (not just
.framework) for completeness.

Fixes the Build Tauri master CI failure after #1246 merge.

Author: TimeToBuildBob

scripts/package/build_app_tauri.sh

@@ -116,8 +116,20 @@ if [ -n "$APPLE_PERSONALID" ]; then
     # Use `xargs file` to batch all type queries in O(1) subprocess calls instead of
     # one `file` invocation per binary (PyInstaller bundles can contain hundreds of files).
     # Sort by path length descending so deeper binaries are signed before shallower containers.
+    # IMPORTANT: Skip the main binary of .framework bundles (e.g. Python.framework/Python).
+    # codesign treats those as ambiguous ("could be app or framework") when signed as
+    # standalone files. They are correctly signed in Step 2 as part of the framework bundle.
     echo "  Signing Mach-O binary files..."
     while IFS= read -r f; do
+        # Skip main binaries of bundle directories (.framework, .bundle, .plugin) —
+        # they'll be signed as part of the bundle in Step 2. Signing them standalone
+        # causes "bundle format is ambiguous" errors from codesign.
+        parent_dir="$(dirname "$f")"
+        if [[ "$parent_dir" == *.framework ]] || [[ "$parent_dir" == *.framework/Versions/* ]] \
+            || [[ "$parent_dir" == *.bundle ]] || [[ "$parent_dir" == *.plugin ]]; then
+            echo "  Skipping bundle binary (signed in Step 2): $f"
+            continue
+        fi
         sign_binary "$f"
     done < <(find "dist/${APP_NAME}.app" -type f \
         | xargs file \