fix(build): handle ambiguous bundle format in codesign Step 2

scripts/package/build_app_tauri.sh

@@ -116,8 +116,20 @@ if [ -n "$APPLE_PERSONALID" ]; then
     # Use `xargs file` to batch all type queries in O(1) subprocess calls instead of
     # one `file` invocation per binary (PyInstaller bundles can contain hundreds of files).
     # Sort by path length descending so deeper binaries are signed before shallower containers.
+    # IMPORTANT: Skip the main binary of .framework bundles (e.g. Python.framework/Python).
+    # codesign treats those as ambiguous ("could be app or framework") when signed as
+    # standalone files. They are correctly signed in Step 2 as part of the framework bundle.
     echo "  Signing Mach-O binary files..."
     while IFS= read -r f; do
+        # Skip main binaries of bundle directories (.framework, .bundle, .plugin) —
+        # they'll be signed as part of the bundle in Step 2. Signing them standalone
+        # causes "bundle format is ambiguous" errors from codesign.
+        parent_dir="$(dirname "$f")"
+        if [[ "$parent_dir" == *.framework ]] || [[ "$parent_dir" == *.framework/Versions/* ]] \
+            || [[ "$parent_dir" == *.bundle ]] || [[ "$parent_dir" == *.plugin ]]; then
+            echo "  Skipping bundle binary (signed in Step 2): $f"
+            continue
+        fi
         sign_binary "$f"
     done < <(find "dist/${APP_NAME}.app" -type f \
         | xargs file \
@@ -129,9 +141,25 @@ if [ -n "$APPLE_PERSONALID" ]; then
     # Deepest bundles first (sort by path length descending) to maintain inside-out order.
     # .bundle/.plugin coverage prevents missing CodeResources catalog seals that can
     # trigger notarytool bundle-integrity warnings.
+    # NOTE: Some frameworks (e.g. PyInstaller's Python.framework) have an ambiguous
+    # bundle structure that codesign rejects. Their individual binaries are already
+    # signed in Step 1, so skipping them here is safe — the .app-level signature
+    # in Step 3 will seal everything.
     echo "  Signing bundle directories (.framework, .bundle, .plugin)..."
     while IFS= read -r fw; do
-        sign_binary "$fw"
+        echo "  Signing: $fw"
+        if ! codesign_out=$(codesign --force --options runtime --timestamp \
+            --entitlements "$ENTITLEMENTS" \
+            --sign "$APPLE_PERSONALID" \
+            "$fw" 2>&1); then
+            if echo "$codesign_out" | grep -q "bundle format is ambiguous"; then
+                echo "  WARNING: $fw — bundle format is ambiguous; contents already signed in Step 1, skipping"
+            else
+                echo "  ERROR: Failed to sign $fw:" >&2
+                echo "$codesign_out" >&2
+                exit 1
+            fi
+        fi
     done < <(find "dist/${APP_NAME}.app" -type d \
         \( -name "*.framework" -o -name "*.bundle" -o -name "*.plugin" \) \
         | awk '{ print length, $0 }' | sort -rn | cut -d' ' -f2-)