fix: codesign doesn't sign frameworks or sidecar, closes #7690

tooling/bundler/src/bundle/macos/sign.rs

@@ -14,7 +14,7 @@ use std::{
 
 use crate::{bundle::common::CommandExt, Settings};
 use anyhow::Context;
-use log::info;
+use log::{error, info};
 use serde::Deserialize;
 
 const KEYCHAIN_ID: &str = "tauri-build.keychain";
@@ -152,6 +152,10 @@ pub fn sign(
 ) -> crate::Result<()> {
   info!(action = "Signing"; "{} with identity \"{}\"", path_to_sign.display(), identity);
 
+  // Remove extra attributes, which could cause codesign to fail
+  // https://developer.apple.com/library/archive/qa/qa1940/_index.html
+  remove_extra_attr(&path_to_sign)?;
+
   let setup_keychain = if let (Some(certificate_encoded), Some(certificate_password)) = (
     var_os("APPLE_CERTIFICATE"),
     var_os("APPLE_CERTIFICATE_PASSWORD"),
@@ -164,6 +168,59 @@ pub fn sign(
     false
   };
 
+  // Sign frameworks and sidecar binaries first, per apple, signing must be done inside out
+  // https://developer.apple.com/forums/thread/701514
+  if is_an_executable {
+    // Sign any sidecar binaries
+    for src in settings.external_binaries() {
+      let src = src?;
+      let binary_path = path_to_sign.join(
+        src
+          .file_name()
+          .expect("failed to extract external binary filename")
+          .to_string_lossy()
+          .replace(&format!("-{}", settings.target()), ""),
+      );
+      try_sign(
+        binary_path,
+        identity,
+        settings,
+        is_an_executable,
+        setup_keychain,
+      )?;
+    }
+
+    if let Some(frameworks) = settings.macos().frameworks.as_ref() {
+      for framework in frameworks.iter() {
+        // If the framework ends with .framework, then its not a system framework. We don't want to sign system frameworks!
+        if framework.ends_with(".framework") {
+          let path = PathBuf::from(framework);
+          match path.file_name() {
+            Some(name) => {
+              let framework_path = path_to_sign.join("Contents/Frameworks").join(name);
+              info!("Signing framework: {:?}", framework_path);
+              try_sign(
+                framework_path,
+                identity,
+                settings,
+                is_an_executable,
+                setup_keychain,
+              )?;
+            }
+            None => {
+              error!(
+                "Failed to sign framework: {} because it has no filename",
+                framework
+              );
+            }
+          }
+        }
+      }
+    }
+  }
+
+  info!("Signing app bundle...");
+  // Sign the app bundle
   let res = try_sign(
     path_to_sign,
     identity,
@@ -205,10 +262,6 @@ fn try_sign(
     args.push("runtime");
   }
 
-  if path_to_sign.is_dir() {
-    args.push("--deep");
-  }
-
   Command::new("codesign")
     .args(args)
     .arg(path_to_sign.to_string_lossy().to_string())
@@ -218,6 +271,15 @@ fn try_sign(
   Ok(())
 }
 
+fn remove_extra_attr(app_bundle_path: &PathBuf) -> crate::Result<()> {
+  Command::new("xattr")
+    .arg("-cr")
+    .arg(app_bundle_path)
+    .output_ok()
+    .context("failed to remove extra attributes from app bundle")?;
+  Ok(())
+}
+
 #[derive(Deserialize)]
 struct NotarytoolSubmitOutput {
   id: String,