Skip to content

fix(build): sign non-standard framework binary via temp copy to avoid ambiguity #1250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ErikBjare merged 1 commit into from
Apr 9, 2026
+11 −2
Merged

fix(build): sign non-standard framework binary via temp copy to avoid ambiguity #1250

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions scripts/package/build_app_tauri.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,11 +153,20 @@ if [ -n "$APPLE_PERSONALID" ]; then
--sign "$APPLE_PERSONALID" \
"$fw" 2>&1) && echo " Signed bundle: $fw" || {
if echo "$sign_output" | grep -q "bundle format is ambiguous"; then
echo " Note: $fw lacks standard bundle structure; signing main binary inside directly"
echo " Note: $fw lacks standard bundle structure; signing main binary via temp copy"
fw_name="$(basename "${fw%.*}")"
fw_binary="$fw/$fw_name"
if [ -f "$fw_binary" ]; then
sign_binary "$fw_binary"
# codesign refuses to sign Python.framework/Python in-place because
# it sees the parent .framework dir and reports "bundle format is
# ambiguous". Copy to a temp path outside any bundle directory,
# sign there, then copy back. Code signatures are embedded in the
# binary (not path-dependent), so the result is identical.
tmp_binary=$(mktemp)
cp "$fw_binary" "$tmp_binary"
sign_binary "$tmp_binary"
cp "$tmp_binary" "$fw_binary"
rm -f "$tmp_binary"
Comment on lines +165 to +169
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Temp file not cleaned up on signing failure

If sign_binary "$tmp_binary" fails (non-zero exit), set -e aborts the script before rm -f "$tmp_binary" runs, leaving the temp file in /tmp. In CI this is harmless since the machine isn't reused, but a trap guard would make this leak-proof in any environment.

Suggested change
tmp_binary=$(mktemp)
cp "$fw_binary" "$tmp_binary"
sign_binary "$tmp_binary"
cp "$tmp_binary" "$fw_binary"
rm -f "$tmp_binary"
tmp_binary=$(mktemp)
trap 'rm -f "$tmp_binary"' EXIT
cp "$fw_binary" "$tmp_binary"
sign_binary "$tmp_binary"
cp "$tmp_binary" "$fw_binary"
rm -f "$tmp_binary"
trap - EXIT

else
echo "ERROR: Expected main binary not found at $fw_binary" >&2
echo " PyInstaller may have changed its output structure. Inspect $fw" >&2
Expand Down
Loading