From 0ce818a43f903adaa34cad80ec081b6be3473b54 Mon Sep 17 00:00:00 2001 From: Bob Date: Thu, 9 Apr 2026 18:24:25 +0000 Subject: [PATCH 1/2] fix(build): preserve binary identifier when signing via temp-path copy The temp-path codesign workaround for non-standard Python.framework bundles signed each binary without --identifier, so codesign derived the identifier from the random temp filename (e.g. 'tmp.XXXXXX'). Apple's notarization service then rejected those binaries with 'The signature of the binary is invalid' -- the certificate chain and code hashes are valid, but the identifier doesn't match what the binary originally carried. Fix: extract the existing identifier from the binary (set by PyInstaller's codesign_identity step, typically 'org.python.python') before copying to the temp path, then pass --identifier to the codesign invocation. Falls back to basename if the binary is unsigned. --- scripts/package/build_app_tauri.sh | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh index eef27fd15..1aac7140b 100755 --- a/scripts/package/build_app_tauri.sh +++ b/scripts/package/build_app_tauri.sh @@ -163,9 +163,27 @@ if [ -n "$APPLE_PERSONALID" ]; then signed_count=0 while IFS= read -r fw_bin; do echo " Signing framework binary via temp copy: $fw_bin" + # Preserve the binary's existing code-signing identifier. + # Without --identifier, codesign uses the random temp filename + # (e.g. "tmp.XXXXXX") as the identifier, which makes Apple's + # notarization service report "The signature of the binary is + # invalid" — even though the certificate chain and code hashes + # are valid. Using the original identifier (e.g. "org.python.python" + # from PyInstaller's codesign_identity step) or falling back to the + # binary's filename avoids this rejection. + existing_id=$(codesign -d "$fw_bin" 2>&1 \ + | awk -F= '/^Identifier=/{print $2; exit}' || true) + if [ -z "$existing_id" ]; then + existing_id=$(basename "$fw_bin") + fi + echo " Using identifier: $existing_id" tmp_binary=$(mktemp) cp "$fw_bin" "$tmp_binary" - sign_binary "$tmp_binary" || { rm -f "$tmp_binary"; exit 1; } + codesign --force --options runtime --timestamp \ + --entitlements "$ENTITLEMENTS" \ + --identifier "$existing_id" \ + --sign "$APPLE_PERSONALID" \ + "$tmp_binary" || { rm -f "$tmp_binary"; exit 1; } cp "$tmp_binary" "$fw_bin" rm -f "$tmp_binary" signed_count=$((signed_count + 1)) From 399c6adf7d9f7cd6de218e13e77fd1b34a562ec4 Mon Sep 17 00:00:00 2001 From: Bob Date: Thu, 9 Apr 2026 19:02:55 +0000 Subject: [PATCH 2/2] =?UTF-8?q?fix(build):=20address=20P2=20review=20findi?= =?UTF-8?q?ngs=20=E2=80=94=20use=20sed=20for=20identifier=20extraction,=20?= =?UTF-8?q?clean=20up=20temp=20on=20cp=20failure?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/package/build_app_tauri.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh index 1aac7140b..87879f7f0 100755 --- a/scripts/package/build_app_tauri.sh +++ b/scripts/package/build_app_tauri.sh @@ -172,7 +172,7 @@ if [ -n "$APPLE_PERSONALID" ]; then # from PyInstaller's codesign_identity step) or falling back to the # binary's filename avoids this rejection. existing_id=$(codesign -d "$fw_bin" 2>&1 \ - | awk -F= '/^Identifier=/{print $2; exit}' || true) + | sed -n 's/^Identifier=//p' || true) if [ -z "$existing_id" ]; then existing_id=$(basename "$fw_bin") fi @@ -184,7 +184,7 @@ if [ -n "$APPLE_PERSONALID" ]; then --identifier "$existing_id" \ --sign "$APPLE_PERSONALID" \ "$tmp_binary" || { rm -f "$tmp_binary"; exit 1; } - cp "$tmp_binary" "$fw_bin" + cp "$tmp_binary" "$fw_bin" || { rm -f "$tmp_binary"; exit 1; } rm -f "$tmp_binary" signed_count=$((signed_count + 1)) done < <(find "$fw" -type f | xargs file | grep "Mach-O" | cut -d: -f1)