diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh
index 5fd3bd14f..e40f34148 100755
--- a/scripts/package/build_app_tauri.sh
+++ b/scripts/package/build_app_tauri.sh
@@ -153,11 +153,20 @@ if [ -n "$APPLE_PERSONALID" ]; then
             --sign "$APPLE_PERSONALID" \
             "$fw" 2>&1) && echo "  Signed bundle: $fw" || {
             if echo "$sign_output" | grep -q "bundle format is ambiguous"; then
-                echo "  Note: $fw lacks standard bundle structure; signing main binary inside directly"
+                echo "  Note: $fw lacks standard bundle structure; signing main binary via temp copy"
                 fw_name="$(basename "${fw%.*}")"
                 fw_binary="$fw/$fw_name"
                 if [ -f "$fw_binary" ]; then
-                    sign_binary "$fw_binary"
+                    # codesign refuses to sign Python.framework/Python in-place because
+                    # it sees the parent .framework dir and reports "bundle format is
+                    # ambiguous". Copy to a temp path outside any bundle directory,
+                    # sign there, then copy back. Code signatures are embedded in the
+                    # binary (not path-dependent), so the result is identical.
+                    tmp_binary=$(mktemp)
+                    cp "$fw_binary" "$tmp_binary"
+                    sign_binary "$tmp_binary"
+                    cp "$tmp_binary" "$fw_binary"
+                    rm -f "$tmp_binary"
                 else
                     echo "ERROR: Expected main binary not found at $fw_binary" >&2
                     echo "  PyInstaller may have changed its output structure. Inspect $fw" >&2