Skip to content

Commit 38a87df

Browse files
fix(build): snapshot pre-signing checksum to correctly detect framework binary duplicates (#1257)
* fix(build): snapshot pre-signing checksum to correctly detect framework binary duplicates The cmp -s guard in #1256 runs after signing the canonical binary, comparing signed bytes against unsigned duplicates — they always differ. This causes all three Python.framework copies to be signed separately with independent codesign invocations (different nonces/timestamps), producing inconsistent signature blocks that Apple rejects with 'The signature of the binary is invalid.' Fix: compute shasum of canonical BEFORE signing, then compare each duplicate's checksum against that pre-signing hash. Identical files (PyInstaller duplicate copies) are correctly detected and receive the byte-identical signed binary. Genuinely distinct binaries still fall through to the separate-signing path. * fix(build): track synced/separately-signed counts accurately in summary log
1 parent 7d52fcd commit 38a87df

1 file changed

Lines changed: 12 additions & 4 deletions

File tree

scripts/package/build_app_tauri.sh

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,10 @@ if [ -n "$APPLE_PERSONALID" ]; then
183183
if [ -z "$existing_id" ]; then
184184
existing_id=$(basename "$canonical")
185185
fi
186+
# Snapshot the canonical checksum BEFORE signing — signing changes
187+
# the binary bytes, so cmp -s after the fact always returns "differs"
188+
# even when canonical and duplicates started as byte-identical copies.
189+
canonical_presign=$(shasum "$canonical" | cut -d' ' -f1)
186190
echo " Signing canonical framework binary: $canonical (identifier: $existing_id)"
187191
tmp_binary=$(mktemp)
188192
cp -p "$canonical" "$tmp_binary"
@@ -195,12 +199,15 @@ if [ -n "$APPLE_PERSONALID" ]; then
195199
rm -f "$tmp_binary"
196200
# Copy the signed canonical to all duplicate paths so they share
197201
# byte-identical signatures (Apple notarization checks all paths).
198-
# Guard with cmp -s so genuinely distinct binaries are signed
199-
# separately rather than silently overwritten.
202+
# Guard with PRE-SIGNING checksum so genuinely distinct binaries are
203+
# signed separately rather than silently overwritten.
204+
synced_count=0
205+
separately_count=0
200206
for fw_bin in "${fw_bins[@]:1}"; do
201-
if cmp -s "$canonical" "$fw_bin"; then
207+
if [ "$(shasum "$fw_bin" | cut -d' ' -f1)" = "$canonical_presign" ]; then
202208
echo " Syncing signed binary to duplicate path: $fw_bin"
203209
cp "$canonical" "$fw_bin" || exit 1
210+
((synced_count++))
204211
else
205212
echo " WARNING: $fw_bin differs from canonical; signing separately" >&2
206213
tmp2=$(mktemp)
@@ -214,9 +221,10 @@ if [ -n "$APPLE_PERSONALID" ]; then
214221
"$tmp2" || { rm -f "$tmp2"; exit 1; }
215222
cp "$tmp2" "$fw_bin" || { rm -f "$tmp2"; exit 1; }
216223
rm -f "$tmp2"
224+
((separately_count++))
217225
fi
218226
done
219-
echo " Signed 1 + synced $((${#fw_bins[@]} - 1)) duplicate(s) inside $fw"
227+
echo " Signed $((1 + separately_count)) + synced ${synced_count} duplicate(s) inside $fw"
220228
else
221229
echo "ERROR: Failed to sign $fw: $sign_output" >&2
222230
exit 1

0 commit comments

Comments
 (0)