fix(build): handle non-standard Python.framework signing in Tauri build

[TimeToBuildBob]

Problem

Post-merge master Build Tauri is failing on both macOS runners with:

dist/ActivityWatch.app/Contents/Resources/aw-watcher-window/Python.framework: bundle format is ambiguous (could be app or framework)
make: *** [dist/ActivityWatch.app] Error 1

This is happening in Step 2 of the inside-out codesign loop (introduced in #1246, patched in #1247), which tries to sign all .framework directories as bundles. PyInstaller-embedded Python.framework bundles (inside aw-watcher-window and aw-watcher-input) lack the standard Versions/ directory structure and Info.plist that codesign requires to sign a proper framework bundle, so it rejects them with "bundle format is ambiguous".

#1247 correctly fixed Step 1 (skipping the Python.framework/Python binary as a standalone file). But Step 2 still unconditionally called sign_binary on the .framework directory itself, hitting the same ambiguous-bundle error.

Fix

In Step 2, catch "bundle format is ambiguous" errors and fall back to signing the main binary inside the framework directly (e.g. Python.framework/Python). All other codesign errors remain fatal so real signing problems are still surfaced.

This completes the signing chain:

• .so files and sub-binaries inside Python.framework → signed in Step 1
• Python.framework/Python (skipped in Step 1 by fix(build): skip framework main binaries in codesign Step 1 #1247) → signed via Step 2 fallback
• Standard frameworks/bundles with proper Info.plist → signed normally in Step 2

Related

• Fixes the post-merge CI failure introduced when fix(build): skip framework main binaries in codesign Step 1 #1247 landed on master
• Follows up on fix(build): replace codesign --deep with inside-out per-binary signing for notarization #1246 (inside-out signing) and fix(build): skip framework main binaries in codesign Step 1 #1247 (framework binary skip)
• Tracked in ErikBjare/bob#546

[greptile-apps]

Greptile Summary

This PR fixes a post-merge CI failure in the Tauri macOS build by adding a fallback in the Step 2 codesign loop: when codesign rejects a .framework directory with "bundle format is ambiguous" (because PyInstaller-embedded frameworks lack the standard Versions/ structure and Info.plist), it now signs the main binary inside the framework directly instead of failing fatally. All other codesign errors remain fatal, preserving real-error detection.

Confidence Score: 5/5

Safe to merge — the fix is targeted, non-standard framework signing errors are caught precisely, and all other codesign failures remain fatal.

The only finding is a P2 observability suggestion (silent skip warning instead of hard exit when the fallback binary is absent). This does not affect correctness for the known PyInstaller layout, and the existing if [ -f ] guard is intentionally lenient. No P0/P1 issues found.

No files require special attention.

Vulnerabilities

No security concerns identified. The change narrows the error-handling surface rather than expanding it — only the specific "bundle format is ambiguous" message triggers the fallback path, and all other codesign failures still cause a hard exit.

Important Files Changed

Filename	Overview
scripts/package/build_app_tauri.sh	Adds fallback in Step 2 codesign loop: catches "bundle format is ambiguous" for non-standard PyInstaller-embedded frameworks and signs the main binary directly; all other codesign errors remain fatal.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Step 1: Sign all Mach-O files\nlength-sorted deepest-first] --> B{Parent dir is\n.framework/.bundle/.plugin?}
    B -- Yes --> C[Skip — will be handled\nin Step 2]
    B -- No --> D[sign_binary file]
    C --> E
    D --> E[Step 2: Sign bundle directories\n.framework / .bundle / .plugin\nlength-sorted deepest-first]
    E --> F{codesign succeeds?}
    F -- Yes --> G[Signed bundle ✓]
    F -- No --> H{Error contains\n'bundle format\nis ambiguous'?}
    H -- Yes --> I[Fallback: sign main binary\ne.g. Python.framework/Python]
    I --> J{Binary exists\nat fw/fw_name?}
    J -- Yes --> K[sign_binary fw_binary ✓]
    J -- No --> L[Warning: skip —\nbinary not found]
    H -- No --> M[echo ERROR + exit 1 ✗]
    G --> N[Step 3: Sign top-level\n.app bundle last]
    K --> N
    L --> N

Loading

_{Reviews (1): Last reviewed commit: "fix(build): handle non-standard Python.f..." | Re-trigger Greptile}

[greptile-apps]

Silent skip may hide unsigned components

If the main binary isn't found at $fw_binary, the framework is left unsigned with just a warning. Because notarytool's rejection message for unsigned embedded content doesn't always name the missing binary, a silent skip here could produce a confusing downstream notarization failure rather than a clear build error.

Consider making this fatal, or at least surfacing it more loudly (e.g., exit 1), since a missing main binary at the expected path likely indicates a structural change in PyInstaller's output that needs attention.

[TimeToBuildBob]

Fixed in c2c0af4: changed the silent-skip to a fatal error (exit 1 with a clear message). If $fw_binary is not found, it now prints ERROR: Expected main binary not found at $fw_binary + a hint about PyInstaller output changes, then exits. A missing binary at this point means PyInstaller changed its structure, which warrants a loud build failure rather than a silent skip that could cause confusing notarization errors later.