fix(build): restore Python.framework symlinks before signing

[ErikBjare]

Summary

• Restores standard macOS framework symlink structure in Python.framework before code signing
• Root cause of all recent notarization failures (fix(build): preserve binary identifier when signing via temp-path copy #1255, fix(build): always sync canonical framework binary to avoid per-copy signature divergence #1258, fix(build): preserve identifiers in strip-and-sync framework fallback #1259): PyInstaller copies Python.framework using regular files/directories instead of symlinks, causing codesign to reject it with "bundle format is ambiguous" and triggering a fallback path that never produces valid framework bundle signatures
• Apple's notarization rejects because the individual-binary signing approach doesn't create the _CodeSignature/CodeResources seal that Apple expects for .framework bundles

Verified locally that restoring symlinks fixes the signing:

• Without symlinks: codesign → "bundle format is ambiguous" (current CI behavior)
• With symlinks: codesign → signs and verifies successfully

What changed

After cp -r copies watcher components into the .app, a new step finds all Python.framework directories and restores the canonical layout:

Python.framework/
  Python -> Versions/Current/Python          (was a copy)
  Resources -> Versions/Current/Resources    (was a copy)
  Versions/
    Current -> 3.9                           (was a directory)
    3.9/
      Python      (the actual binary - unchanged)
      Resources/  (unchanged)

The existing fallback code (strip-sign-sync) is left in place as a safety net but should no longer trigger for Python.framework.

Test plan

• CI Build Tauri macOS jobs should pass (both macos-14 and macos-latest)
• Notarization should succeed (no more "The signature of the binary is invalid" rejections)
• After merge, Create dev release workflow should produce v0.13.3b1

Fixes #1216
Related: ErikBjare/bob#546

[greptile-apps]

Greptile Summary

This PR inserts a pre-signing step in build_app_tauri.sh that replaces the regular files/directories PyInstaller copies in Python.framework with the correct macOS symlink structure (Versions/Current → <version>, and root-level Python/Resources/Headers pointing into Versions/Current/), resolving the codesign "bundle format is ambiguous" rejection that has been breaking notarization. The existing strip-sign-sync fallback is retained as a safety net. Two minor robustness nits: ls | grep | head for version discovery could emit SIGPIPE under certain conditions and is better replaced with a glob loop, and the -name "*.framework" | grep -i python filter can be simplified to -iname "Python.framework" directly in find.

Confidence Score: 5/5

Safe to merge — the fix is logically correct and all remaining comments are P2 style suggestions.

The symlink restoration logic correctly handles the described PyInstaller layout (Versions/3.9 as the real dir, Current as the copy to replace). Guards against already-correct symlinks are present. The two P2 comments are robustness suggestions that don't affect correctness in the expected build environment.

No files require special attention.

Important Files Changed

Filename	Overview
scripts/package/build_app_tauri.sh	Adds a pre-signing step to restore canonical macOS framework symlinks (Versions/Current, Python, Resources, Headers) that PyInstaller replaces with plain directories/files. Logic is correct for the common single-version case; minor robustness issues with ls-based version discovery and overly broad grep filter.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[cp -r components into .app] --> B["find Python.framework dirs"]
    B --> C{Any found?}
    C -- No --> G[Set executable permissions]
    C -- Yes --> D["Discover version_dir\n(ls Versions/ | grep -v Current)"]
    D --> E{version_dir empty?}
    E -- Yes --> F[Warning: skip this framework]
    F --> D2[Next framework]
    E -- No --> H{"Versions/Current is\na real dir?"}
    H -- Yes --> I["rm -rf Versions/Current\nln -s version_dir Versions/Current"]
    H -- Already a symlink --> J
    I --> J["For Python, Resources, Headers:\nif real file/dir → replace with symlink"]
    J --> D2
    D2 --> C
    G --> K[Sign .app inside-out\nStep 1: Mach-O leaves\nStep 2: .framework bundles\nStep 3: top-level .app]

Loading

_{Reviews (1): Last reviewed commit: "fix(build): restore Python.framework sym..." | Re-trigger Greptile}

[greptile-apps]

ls | grep | head is fragile for version discovery

Parsing ls output in shell scripts is unreliable — locale settings can affect ordering, and grep exits non-zero via SIGPIPE when head -1 terminates the pipeline early. A glob-based approach is safer and sidesteps all of these:

Suggested change

	version_dir=$(ls "$fw/Versions/" 2>/dev/null | grep -v Current | head -1)
	version_dir=""
	for d in "$fw/Versions"/*/; do
	bname="$(basename "$d")"
	if [ "$bname" != "Current" ] && [ -d "$d" ]; then
	version_dir="$bname"
	break
	fi
	done

This also implicitly verifies that the matched entry is an actual directory, guarding against unexpected files in Versions/.

[greptile-apps]

grep -i python may over-match framework paths

grep -i python applied to the full path can match any framework whose path contains "python" (e.g., a hypothetical SomePythonTool.framework). Using -iname directly in find is more precise and removes the extra pipe:

Suggested change

	done < <(find "dist/${APP_NAME}.app" -type d -name "*.framework" \
	| grep -i python)
	done < <(find "dist/${APP_NAME}.app" -type d -iname "Python.framework")