From 2daddcab0893b4581258ab3b23011bb23da47eb6 Mon Sep 17 00:00:00 2001 From: Bob Date: Thu, 9 Apr 2026 22:29:16 +0000 Subject: [PATCH 1/2] fix(build): snapshot pre-signing checksum to correctly detect framework binary duplicates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cmp -s guard in #1256 runs after signing the canonical binary, comparing signed bytes against unsigned duplicates — they always differ. This causes all three Python.framework copies to be signed separately with independent codesign invocations (different nonces/timestamps), producing inconsistent signature blocks that Apple rejects with 'The signature of the binary is invalid.' Fix: compute shasum of canonical BEFORE signing, then compare each duplicate's checksum against that pre-signing hash. Identical files (PyInstaller duplicate copies) are correctly detected and receive the byte-identical signed binary. Genuinely distinct binaries still fall through to the separate-signing path. --- scripts/package/build_app_tauri.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh index 6af17c241..7797f2df7 100755 --- a/scripts/package/build_app_tauri.sh +++ b/scripts/package/build_app_tauri.sh @@ -183,6 +183,10 @@ if [ -n "$APPLE_PERSONALID" ]; then if [ -z "$existing_id" ]; then existing_id=$(basename "$canonical") fi + # Snapshot the canonical checksum BEFORE signing — signing changes + # the binary bytes, so cmp -s after the fact always returns "differs" + # even when canonical and duplicates started as byte-identical copies. + canonical_presign=$(shasum "$canonical" | cut -d' ' -f1) echo " Signing canonical framework binary: $canonical (identifier: $existing_id)" tmp_binary=$(mktemp) cp -p "$canonical" "$tmp_binary" @@ -195,10 +199,10 @@ if [ -n "$APPLE_PERSONALID" ]; then rm -f "$tmp_binary" # Copy the signed canonical to all duplicate paths so they share # byte-identical signatures (Apple notarization checks all paths). - # Guard with cmp -s so genuinely distinct binaries are signed - # separately rather than silently overwritten. + # Guard with PRE-SIGNING checksum so genuinely distinct binaries are + # signed separately rather than silently overwritten. for fw_bin in "${fw_bins[@]:1}"; do - if cmp -s "$canonical" "$fw_bin"; then + if [ "$(shasum "$fw_bin" | cut -d' ' -f1)" = "$canonical_presign" ]; then echo " Syncing signed binary to duplicate path: $fw_bin" cp "$canonical" "$fw_bin" || exit 1 else From 16d7938f58abc999646f2c4f00b47266b304dabf Mon Sep 17 00:00:00 2001 From: Bob Date: Thu, 9 Apr 2026 22:43:50 +0000 Subject: [PATCH 2/2] fix(build): track synced/separately-signed counts accurately in summary log --- scripts/package/build_app_tauri.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/package/build_app_tauri.sh b/scripts/package/build_app_tauri.sh index 7797f2df7..f1b9321b4 100755 --- a/scripts/package/build_app_tauri.sh +++ b/scripts/package/build_app_tauri.sh @@ -201,10 +201,13 @@ if [ -n "$APPLE_PERSONALID" ]; then # byte-identical signatures (Apple notarization checks all paths). # Guard with PRE-SIGNING checksum so genuinely distinct binaries are # signed separately rather than silently overwritten. + synced_count=0 + separately_count=0 for fw_bin in "${fw_bins[@]:1}"; do if [ "$(shasum "$fw_bin" | cut -d' ' -f1)" = "$canonical_presign" ]; then echo " Syncing signed binary to duplicate path: $fw_bin" cp "$canonical" "$fw_bin" || exit 1 + ((synced_count++)) else echo " WARNING: $fw_bin differs from canonical; signing separately" >&2 tmp2=$(mktemp) @@ -218,9 +221,10 @@ if [ -n "$APPLE_PERSONALID" ]; then "$tmp2" || { rm -f "$tmp2"; exit 1; } cp "$tmp2" "$fw_bin" || { rm -f "$tmp2"; exit 1; } rm -f "$tmp2" + ((separately_count++)) fi done - echo " Signed 1 + synced $((${#fw_bins[@]} - 1)) duplicate(s) inside $fw" + echo " Signed $((1 + separately_count)) + synced ${synced_count} duplicate(s) inside $fw" else echo "ERROR: Failed to sign $fw: $sign_output" >&2 exit 1