From abeeabb978610b212eb217662333ada876811b19 Mon Sep 17 00:00:00 2001
From: Bob <bob@superuserlabs.org>
Date: Wed, 8 Apr 2026 23:18:09 +0000
Subject: [PATCH] fix(build): sign non-standard framework binary via temp copy
 to avoid ambiguity
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

codesign refuses to sign Python.framework/Python in-place when the binary
is inside a .framework directory — it sees the directory context and reports
'bundle format is ambiguous (could be app or framework)'.

The #1249 fallback correctly detected this case but then called sign_binary
on the same path, which hits the same codesign check.

Fix: copy the binary to a temp path outside any .framework dir, sign it
there, then copy the signed binary back. Code signatures are embedded in
the Mach-O binary (not path-dependent), so the result is identical.

This should be the final fix needed to unblock the Build Tauri master CI
and allow the Thursday 2026-04-09 12:00 UTC scheduled dev release to run.
---
 scripts/package/build_app_tauri.sh | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh
index 5fd3bd14f..e40f34148 100755
--- a/scripts/package/build_app_tauri.sh
+++ b/scripts/package/build_app_tauri.sh
@@ -153,11 +153,20 @@ if [ -n "$APPLE_PERSONALID" ]; then
             --sign "$APPLE_PERSONALID" \
             "$fw" 2>&1) && echo "  Signed bundle: $fw" || {
             if echo "$sign_output" | grep -q "bundle format is ambiguous"; then
-                echo "  Note: $fw lacks standard bundle structure; signing main binary inside directly"
+                echo "  Note: $fw lacks standard bundle structure; signing main binary via temp copy"
                 fw_name="$(basename "${fw%.*}")"
                 fw_binary="$fw/$fw_name"
                 if [ -f "$fw_binary" ]; then
-                    sign_binary "$fw_binary"
+                    # codesign refuses to sign Python.framework/Python in-place because
+                    # it sees the parent .framework dir and reports "bundle format is
+                    # ambiguous". Copy to a temp path outside any bundle directory,
+                    # sign there, then copy back. Code signatures are embedded in the
+                    # binary (not path-dependent), so the result is identical.
+                    tmp_binary=$(mktemp)
+                    cp "$fw_binary" "$tmp_binary"
+                    sign_binary "$tmp_binary"
+                    cp "$tmp_binary" "$fw_binary"
+                    rm -f "$tmp_binary"
                 else
                     echo "ERROR: Expected main binary not found at $fw_binary" >&2
                     echo "  PyInstaller may have changed its output structure. Inspect $fw" >&2