Skip to content

fix(build): preserve binary identifier when signing via temp-path copy #1255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ErikBjare merged 2 commits into from
Apr 9, 2026
+20 −2
Merged

fix(build): preserve binary identifier when signing via temp-path copy #1255

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0ce818a
fix(build): preserve binary identifier when signing via temp-path copy
TimeToBuildBob Apr 9, 2026
399c6ad
fix(build): address P2 review findings — use sed for identifier extra…
TimeToBuildBob Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions scripts/package/build_app_tauri.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,10 +163,28 @@ if [ -n "$APPLE_PERSONALID" ]; then
signed_count=0
while IFS= read -r fw_bin; do
echo " Signing framework binary via temp copy: $fw_bin"
# Preserve the binary's existing code-signing identifier.
# Without --identifier, codesign uses the random temp filename
# (e.g. "tmp.XXXXXX") as the identifier, which makes Apple's
# notarization service report "The signature of the binary is
# invalid" — even though the certificate chain and code hashes
# are valid. Using the original identifier (e.g. "org.python.python"
# from PyInstaller's codesign_identity step) or falling back to the
# binary's filename avoids this rejection.
existing_id=$(codesign -d "$fw_bin" 2>&1 \
| sed -n 's/^Identifier=//p' || true)
if [ -z "$existing_id" ]; then
existing_id=$(basename "$fw_bin")
fi
echo " Using identifier: $existing_id"
tmp_binary=$(mktemp)
cp "$fw_bin" "$tmp_binary"
sign_binary "$tmp_binary" || { rm -f "$tmp_binary"; exit 1; }
cp "$tmp_binary" "$fw_bin"
codesign --force --options runtime --timestamp \
--entitlements "$ENTITLEMENTS" \
--identifier "$existing_id" \
--sign "$APPLE_PERSONALID" \
"$tmp_binary" || { rm -f "$tmp_binary"; exit 1; }
cp "$tmp_binary" "$fw_bin" || { rm -f "$tmp_binary"; exit 1; }
rm -f "$tmp_binary"
Comment on lines 180 to 188
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Temp file leaked if cp back to $fw_bin fails

If cp "$tmp_binary" "$fw_bin" fails (e.g. disk full, permission denied), set -e at the top of the script causes an immediate exit before rm -f "$tmp_binary" runs, leaking the temp file. A trap would ensure cleanup:

tmp_binary=$(mktemp)
trap 'rm -f "$tmp_binary"' EXIT
cp "$fw_bin" "$tmp_binary"
codesign --force --options runtime --timestamp \
    --entitlements "$ENTITLEMENTS" \
    --identifier "$existing_id" \
    --sign "$APPLE_PERSONALID" \
    "$tmp_binary" || exit 1
cp "$tmp_binary" "$fw_bin"
trap - EXIT
rm -f "$tmp_binary"

This is a minor robustness concern only — the OS will reclaim the file at process exit regardless.

Copy link
Copy Markdown
Contributor Author

@TimeToBuildBob TimeToBuildBob Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 399c6ad — added || { rm -f "$tmp_binary"; exit 1; } to the cp back to $fw_bin so the temp file is cleaned up on copy failure.

signed_count=$((signed_count + 1))
done < <(find "$fw" -type f | xargs file | grep "Mach-O" | cut -d: -f1)
Expand Down
Loading