Commit 38a87df
authored
fix(build): snapshot pre-signing checksum to correctly detect framework binary duplicates (#1257)
* fix(build): snapshot pre-signing checksum to correctly detect framework binary duplicates
The cmp -s guard in #1256 runs after signing the canonical binary,
comparing signed bytes against unsigned duplicates — they always differ.
This causes all three Python.framework copies to be signed separately
with independent codesign invocations (different nonces/timestamps),
producing inconsistent signature blocks that Apple rejects with
'The signature of the binary is invalid.'
Fix: compute shasum of canonical BEFORE signing, then compare each
duplicate's checksum against that pre-signing hash. Identical files
(PyInstaller duplicate copies) are correctly detected and receive the
byte-identical signed binary. Genuinely distinct binaries still fall
through to the separate-signing path.
* fix(build): track synced/separately-signed counts accurately in summary log1 parent 7d52fcd commit 38a87df
1 file changed
Lines changed: 12 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
183 | 183 | | |
184 | 184 | | |
185 | 185 | | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
186 | 190 | | |
187 | 191 | | |
188 | 192 | | |
| |||
195 | 199 | | |
196 | 200 | | |
197 | 201 | | |
198 | | - | |
199 | | - | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
200 | 206 | | |
201 | | - | |
| 207 | + | |
202 | 208 | | |
203 | 209 | | |
| 210 | + | |
204 | 211 | | |
205 | 212 | | |
206 | 213 | | |
| |||
214 | 221 | | |
215 | 222 | | |
216 | 223 | | |
| 224 | + | |
217 | 225 | | |
218 | 226 | | |
219 | | - | |
| 227 | + | |
220 | 228 | | |
221 | 229 | | |
222 | 230 | | |
| |||
0 commit comments