@@ -320,9 +320,15 @@ jobs:
320320 # Ensure files are writable and clear any quarantine attrs
321321 chmod -R u+rw "$APP"
322322 xattr -cr "$APP" || true
323- # Deep ad-hoc sign the app and embedded content to improve launch reliability
324- codesign --force --deep --sign - --timestamp=none "$APP"
325- codesign --verify --deep --verbose=2 "$APP" || (codesign --display --verbose=5 "$APP"; exit 1)
323+ # Sign only Mach-O binaries and libraries to avoid codesign errors on non-bundles
324+ while IFS= read -r -d '' f; do
325+ if file -b "$f" | grep -q "Mach-O"; then
326+ codesign --force --sign - --timestamp=none "$f"
327+ fi
328+ done < <(find "$APP/Contents" -type f -print0)
329+ # Finally sign the app wrapper (no --deep)
330+ codesign --force --sign - --timestamp=none "$APP"
331+ codesign --verify --verbose=2 "$APP" || (codesign --display --verbose=5 "$APP"; exit 1)
326332
327333name : Verify permissions and Info.plist
328334 run : |
@@ -358,9 +364,14 @@ jobs:
358364 echo "$APPLE_DEVELOPER_CERT_BASE64" | base64 --decode > "$RUNNER_TEMP/dev_cert.p12"
359365 security import "$RUNNER_TEMP/dev_cert.p12" -k "$KEYCHAIN_PATH" -P "$APPLE_DEVELOPER_CERT_PASSWORD" -A
360366 security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain-db
361- # Re-sign app with Developer ID (replaces ad-hoc)
362- codesign --force --deep --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" "$APP"
363- codesign --verify --deep --strict --verbose=2 "$APP"
367+ # Re-sign Mach-O components, then the app wrapper (no --deep)
368+ while IFS= read -r -d '' f; do
369+ if file -b "$f" | grep -q "Mach-O"; then
370+ codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" "$f"
371+ fi
372+ done < <(find "$APP/Contents" -type f -print0)
373+ codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" "$APP"
374+ codesign --verify --strict --verbose=2 "$APP"
364375
365376
366377name : Create DMG
0 commit comments