fix(build): preserve identifiers in strip-and-sync framework fallback

[TimeToBuildBob]

Summary

• preserve the original codesign identifier before stripping signatures in the non-standard framework fallback
• sign the canonical binary with that identifier, then sync the signed copy to duplicate framework paths
• keep the existing strip-and-sync approach, but avoid falling back to path-derived identifiers like Python

Why

Build Tauri on master is still failing on macOS in run 24240587094 after #1258. The notarization rejection log shows all embedded Python.framework copies are still rejected as The signature of the binary is invalid.

The current strip-and-sync fallback fixed divergent signatures, but it re-signs the canonical binary without preserving the original identifier. For these embedded Python binaries, that means codesign uses the path/basename-derived identifier (Python) instead of the original binary identifier, which is exactly the regression fixed earlier in #1255.

This patch reapplies that lesson to the strip-and-sync fallback: capture the original identifier before removing the signature, then pass it explicitly during re-signing.

Verification

• bash -n scripts/package/build_app_tauri.sh
• inspected notarization rejection log from run 24240587094 / job 70773894191

[greptile-apps]

Greptile Summary

This PR extends the strip-and-sync fallback (introduced in #1258) for non-standard PyInstaller-embedded Python.framework bundles to preserve the original codesign identifier before stripping pre-existing signatures. Without this, re-signing the canonical binary would let codesign derive the identifier from the path/basename (e.g., Python), reintroducing the same notarization rejection fixed in #1255.

Confidence Score: 5/5

Safe to merge — the fix is logically correct and the only remaining findings are minor style suggestions.

The core invariant of the patch (capture identifier → strip → re-sign with original identifier → sync) is implemented in the right order with a sensible fallback. No P0/P1 issues were found.

No files require special attention.

Important Files Changed

Filename	Overview
scripts/package/build_app_tauri.sh	Adds canonical_identifier capture via codesign -d before stripping in the ambiguous-framework fallback, then passes it to sign_binary_with_identifier; logic is correct and order of capture→strip→sign is sound.

Sequence Diagram

sequenceDiagram
    participant S as build_app_tauri.sh
    participant CS as codesign
    participant FS as Filesystem

    S->>FS: find fw -type f | xargs file | grep Mach-O
    FS-->>S: [fw_bin1, fw_bin2, fw_bin3, ...]

    Note over S: First iteration (canonical)
    S->>CS: codesign -d fw_bin1 (capture identifier)
    CS-->>S: Identifier=com.python.python
    S->>CS: codesign --remove-signature fw_bin1
    S->>CS: sign_binary_with_identifier fw_bin1 com.python.python
    CS-->>S: Signed canonical binary

    Note over S: Subsequent iterations (duplicates)
    S->>CS: codesign --remove-signature fw_bin2
    S->>FS: cp -p fw_bin1 fw_bin2
    S->>CS: codesign --remove-signature fw_bin3
    S->>FS: cp -p fw_bin1 fw_bin3

    Note over S: All copies now byte-identical and share the same signature

Loading

_{Reviews (1): Last reviewed commit: "fix(build): preserve identifiers in stri..." | Re-trigger Greptile}

[greptile-apps]

Identifier captured from first find result — order is non-deterministic

find "$fw" -type f produces filesystem-order output with no ordering guarantee, so the binary whose identifier is captured as the canonical one is unpredictable. In the normal case this is harmless — all PyInstaller copies of Python carry the same original identifier — but if a prior aborted run left one copy re-signed with a degraded identifier (e.g., Python), that copy could surface first and its bad identifier would be propagated to all others.

A small defensive improvement would be to prefer the deepest versioned path (e.g., Versions/3.x/Python) over the shallow symlink alias, or at least log which binary's identifier was selected so it's visible in CI output.

[greptile-apps]

-F= field separator is set but unused

awk -F= splits on = into fields, but the print statement uses substr($0, index($0,"=") + 1) (positional) rather than $2. The -F= flag has no effect here and can be dropped for clarity.

Suggested change

	if [ -z "$canonical_identifier" ]; then
	canonical_identifier=$(codesign -d "$fw_bin" 2>&1 | awk '/^Identifier=/{print substr($0, index($0, "=") + 1)}')

[TimeToBuildBob]

I pushed one more fix instead of just restating the same theory.

What I found

The current #1259 branch was still over-collapsing binaries inside the ambiguous Python.framework fallback.

The fallback logic did this:

• capture one canonical_identifier from the first Mach-O it sees in the framework
• strip signatures from all Mach-O files in that framework
• sign the first binary once with that single identifier
• copy that signed binary to every other Mach-O path in the framework

That is too aggressive.

Inside these PyInstaller Python.framework trees, not every Mach-O is necessarily the same logical binary just because it lives under the same framework directory. The current loop was effectively treating the whole framework as one duplicate set.

So even if preserving the identifier fixed the Python -> org.python.python regression, the fallback still risked copying the wrong signed payload across distinct Mach-O files within the framework. That's exactly the kind of thing Apple would still reject as The signature of the binary is invalid.

What I changed

New commit on this PR:

• 50875e1 — fix(build): group framework fallback by content hash

The fallback now:

1. strips any pre-existing signature from each Mach-O
2. computes a SHA-256 of the stripped binary content
3. groups binaries by content hash
4. signs the first binary in each hash-group with its own preserved identifier
5. only syncs that signed canonical binary to other paths in the same content group

So the dedup invariant is now much tighter:

• same stripped bytes → can share the same signed payload
• different stripped bytes → must be signed independently

Why this is better

This matches the real problem more closely.

The bug isn't "everything inside Python.framework is one duplicate set".
The bug is "some paths inside these non-standard framework copies are byte-identical duplicates with signature noise".

Grouping by stripped-content hash preserves that distinction.

Verification

• bash -n scripts/package/build_app_tauri.sh

If this still fails after merge/test on master, then I agree we should stop guessing from Linux and move the loop onto Erik's Mac so I can inspect the signed bundle directly with codesign, spctl, file, and notarytool log locally.

[TimeToBuildBob]

Rebased on master + consolidated

Rebased onto latest master (which includes #1255-#1258) and consolidated the 4 previous commits into 1 clean commit (563dbdf).

What changed from the previous version:

• Absorbed the identifier preservation logic from fix(build): preserve binary identifier when signing via temp-path copy #1255 (already in master)
• Absorbed the "always sync canonical" fix from fix(build): always sync canonical framework binary to avoid per-copy signature divergence #1258 (already in master)
• Kept my two genuine improvements on top:
  1. Strip existing signatures before comparison — ensures content hashing compares actual binary code, not signature nonces
  2. Group by SHA-256 content hash — only sync signed payloads between true duplicates, not all Mach-Os in the framework

Net diff: +50/-52 lines in build_app_tauri.sh. The fallback block now:

1. Strips all pre-existing signatures (PyInstaller codesign_identity remnants)
2. Computes SHA-256 of each stripped Mach-O binary
3. Signs one canonical per content-hash group via temp copy (preserving identifiers)
4. Syncs signed payload only within same hash group

This is strictly more correct than the current "always sync all" approach, and maintains all the hard-won fixes from #1255-#1258.

Next step: If notarization still fails after this merge, the remaining debug loop should happen on a macOS machine with codesign/notarytool inspection of the actual built artifacts.