Skip to content

fix: address Apple validation errors for Mac Catalyst TestFlight#556

Merged
jfversluis merged 4 commits intomainfrom
fix/maccatalyst-validation-errors
Apr 8, 2026
Merged

fix: address Apple validation errors for Mac Catalyst TestFlight#556
jfversluis merged 4 commits intomainfrom
fix/maccatalyst-validation-errors

Conversation

@jfversluis
Copy link
Copy Markdown
Collaborator

@jfversluis jfversluis commented Apr 8, 2026

Fixes all 4 validation errors from the TestFlight upload:

  1. Bundle ID: Reverts to nl.versluis.polypilot (Apple rejects the maccatalyst prefix)
  2. LSApplicationCategoryType: Added developer-tools category to Info.plist
  3. Copilot binary signing: Re-signs the bundled copilot CLI after dotnet publish
  4. Copilot binary sandbox: Uses AppStore entitlements for the re-sign

Note: The build may fail if MAUI can't match the base ApplicationId to the maccatalyst provisioning profile. If so, a new provisioning profile may be needed.

jfversluis and others added 4 commits April 8, 2026 13:49
@jfversluis
fix: address all 4 Apple validation errors for Mac Catalyst
7b55fee 
1. Bundle ID: use nl.versluis.polypilot (Apple says it was already
   registered as this, cannot change to maccatalyst. prefix)
2. LSApplicationCategoryType: add public.app-category.developer-tools
   to Info.plist (required for Mac App Store)
3. Copilot binary signing: re-sign the bundled copilot CLI with the
   same identity and sandbox entitlements after dotnet publish
4. Copilot binary sandbox: included via the entitlements used in
   the re-sign step

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jfversluis
fix: keep maccatalyst prefix for build, use base bundle-id for upload
e9b117d 
Build needs maccatalyst.nl.versluis.polypilot to match the
provisioning profile. Apple's upload validation needs the base
bundle-id nl.versluis.polypilot to match the App Store Connect
record. Use --bundle-id override in altool --upload-package.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jfversluis
fix: split build/sign/package into separate steps
e485e34 
CreatePackage=true seals the .pkg before the copilot binary can be
re-signed. Split into 3 steps:
 produces .app
2. Re-sign copilot binary + dylibs + frameworks + .app (inside-out)
 creates .pkg

Follows the same inside-out signing pattern as build.yml (Homebrew).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jfversluis
fix: patch CFBundleIdentifier and copilot entitlements for App Store …
30a2bc9 
…validation

Address all 4 Apple validation errors:

1. Bundle ID mismatch: Build with maccatalyst. prefix (for provisioning
   profile match), then patch CFBundleIdentifier back to base ID before
   signing. App Store Connect expects the base bundle ID, not the
   maccatalyst-prefixed one.

2. Copilot binary signing: Use minimal Entitlements.Helper.plist with
   app-sandbox + inherit (standard pattern for helper executables in
   sandboxed apps) instead of the full app entitlements.

3. Missing LSApplicationCategoryType: Already added in previous commit.

4. Copilot sandbox: Covered by the new helper entitlements file.

Added --deep --strict signature verification step.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jfversluis jfversluis merged commit 1b53cb6 into main Apr 8, 2026
@jfversluis jfversluis deleted the fix/maccatalyst-validation-errors branch April 8, 2026 12:28
@PureWeen
Copy link
Copy Markdown
Owner

PureWeen commented Apr 8, 2026

🔍 Multi-Model Code Review — PR #556

PR: fix: address Apple validation errors for Mac Catalyst TestFlight
Branch: fix/maccatalyst-validation-errors
Tests: N/A (CI workflow changes only)
CI: ⚠️ No checks reported on the branch

Findings

🟡 MODERATE — Missing copilot binary should fail the build, not warn

File: release-apps.yml, Re-sign step (~line 270)
Flagged by: 2/3 reviewers

Problem: When the copilot binary is not found at Contents/MonoBundle/copilot, the script prints a warning and continues — signing dylibs, frameworks, creating the PKG, and attempting upload for a fundamentally broken artifact. The codesign -dvv "$COPILOT_BIN" verify at the end does eventually fail, but:

  1. Wastes CI time packaging a broken build
  2. Error message is misleading (No such file or directory from codesign, not "copilot missing")
  3. If the verify line is ever wrapped in || true, the guard disappears

Suggested fix: Add exit 1 after the warning echo in the else branch.

Issues Already Fixed by Follow-Up PRs

The following issues exist in this PR's diff but have been addressed by subsequent merged PRs. Listed for completeness:

Issue Severity Fixed in
Re-signing discards application-identifier entitlement High #568 (592fc1454)
CFBundleIdentifier patch creates mismatch with provisioning profile High #567 (1dba343c7)
Missing -r maccatalyst-arm64 runtime target High #560 (85961f1ef)
Provisioning profile not embedded in .app bundle High #560 (85961f1ef)

These were discovered iteratively during TestFlight submission and fixed in follow-up PRs that are now on main.

Observations (No Issues)

  • Re-signing order (inside-out: copilot → dylibs → frameworks → app) — correct per Apple requirements
  • Helper entitlements (app-sandbox + inherit) — correct for subprocess helpers
  • LSApplicationCategoryType = developer-tools — appropriate category
  • find | head -1 — safe; finds outer .app directory first

Recommendation

⚠️ Request changes — One remaining fix: fail fast when copilot binary is missing instead of warning. The 4 high-severity issues have already been addressed by follow-up PRs (#560, #567, #568) on main, so if this PR is rebased on latest main those are already resolved.

@PureWeen PureWeen mentioned this pull request Apr 8, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jfversluis @PureWeen