Skip to content

fix(build): skip framework main binaries in codesign Step 1 #1247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ErikBjare merged 1 commit into from
Apr 8, 2026
+12 −0
Merged

fix(build): skip framework main binaries in codesign Step 1 #1247

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions scripts/package/build_app_tauri.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,20 @@ if [ -n "$APPLE_PERSONALID" ]; then
# Use `xargs file` to batch all type queries in O(1) subprocess calls instead of
# one `file` invocation per binary (PyInstaller bundles can contain hundreds of files).
# Sort by path length descending so deeper binaries are signed before shallower containers.
# IMPORTANT: Skip the main binary of .framework bundles (e.g. Python.framework/Python).
# codesign treats those as ambiguous ("could be app or framework") when signed as
# standalone files. They are correctly signed in Step 2 as part of the framework bundle.
echo " Signing Mach-O binary files..."
while IFS= read -r f; do
# Skip main binaries of bundle directories (.framework, .bundle, .plugin) —
# they'll be signed as part of the bundle in Step 2. Signing them standalone
# causes "bundle format is ambiguous" errors from codesign.
parent_dir="$(dirname "$f")"
if [[ "$parent_dir" == *.framework ]] || [[ "$parent_dir" == *.framework/Versions/* ]] \
|| [[ "$parent_dir" == *.bundle ]] || [[ "$parent_dir" == *.plugin ]]; then
Comment on lines +128 to +129
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 .bundle/.plugin skip patterns don't cover nested binaries

The check [[ "$parent_dir" == *.bundle ]] only matches a file sitting directly inside Foo.bundle/ (e.g., Foo.bundle/Foo). The conventional macOS bundle layout places the main binary one level deeper at Foo.bundle/Contents/MacOS/Foo, whose parent Foo.bundle/Contents/MacOS does not match *.bundle. The same gap applies to *.plugin. This means those main binaries still get signed standalone in Step 1, then re-signed as part of their bundle in Step 2. The --force flag lets Step 2 succeed, but the intermediate Step 1 signature is wasted work. If any .bundle or .plugin encountered in this tree happens to trigger the same codesign "bundle format is ambiguous" error as Python.framework/Python, it would break the build.

Consider also matching the typical Contents/MacOS nesting:

Suggested change
if [[ "$parent_dir" == *.framework ]] || [[ "$parent_dir" == *.framework/Versions/* ]] \
|| [[ "$parent_dir" == *.bundle ]] || [[ "$parent_dir" == *.plugin ]]; then
if [[ "$parent_dir" == *.framework ]] || [[ "$parent_dir" == *.framework/Versions/* ]] \
|| [[ "$parent_dir" == *.bundle ]] || [[ "$parent_dir" == *.bundle/Contents/MacOS ]] \
|| [[ "$parent_dir" == *.plugin ]] || [[ "$parent_dir" == *.plugin/Contents/MacOS ]]; then

echo " Skipping bundle binary (signed in Step 2): $f"
continue
fi
sign_binary "$f"
done < <(find "dist/${APP_NAME}.app" -type f \
| xargs file \
Expand Down
Loading