diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh index 6af17c241..f1b9321b4 100755 --- a/scripts/package/build_app_tauri.sh +++ b/scripts/package/build_app_tauri.sh @@ -183,6 +183,10 @@ if [ -n "$APPLE_PERSONALID" ]; then if [ -z "$existing_id" ]; then existing_id=$(basename "$canonical") fi + # Snapshot the canonical checksum BEFORE signing — signing changes + # the binary bytes, so cmp -s after the fact always returns "differs" + # even when canonical and duplicates started as byte-identical copies. + canonical_presign=$(shasum "$canonical" | cut -d' ' -f1) echo " Signing canonical framework binary: $canonical (identifier: $existing_id)" tmp_binary=$(mktemp) cp -p "$canonical" "$tmp_binary" @@ -195,12 +199,15 @@ if [ -n "$APPLE_PERSONALID" ]; then rm -f "$tmp_binary" # Copy the signed canonical to all duplicate paths so they share # byte-identical signatures (Apple notarization checks all paths). - # Guard with cmp -s so genuinely distinct binaries are signed - # separately rather than silently overwritten. + # Guard with PRE-SIGNING checksum so genuinely distinct binaries are + # signed separately rather than silently overwritten. + synced_count=0 + separately_count=0 for fw_bin in "${fw_bins[@]:1}"; do - if cmp -s "$canonical" "$fw_bin"; then + if [ "$(shasum "$fw_bin" | cut -d' ' -f1)" = "$canonical_presign" ]; then echo " Syncing signed binary to duplicate path: $fw_bin" cp "$canonical" "$fw_bin" || exit 1 + ((synced_count++)) else echo " WARNING: $fw_bin differs from canonical; signing separately" >&2 tmp2=$(mktemp) @@ -214,9 +221,10 @@ if [ -n "$APPLE_PERSONALID" ]; then "$tmp2" || { rm -f "$tmp2"; exit 1; } cp "$tmp2" "$fw_bin" || { rm -f "$tmp2"; exit 1; } rm -f "$tmp2" + ((separately_count++)) fi done - echo " Signed 1 + synced $((${#fw_bins[@]} - 1)) duplicate(s) inside $fw" + echo " Signed $((1 + separately_count)) + synced ${synced_count} duplicate(s) inside $fw" else echo "ERROR: Failed to sign $fw: $sign_output" >&2 exit 1