CM-53930: fix onedir signing issues on mac

gotbadger · gotbadger · commit 59fab6b5f2be · 2026-02-23T15:33:45.000Z
diff --git a/.github/workflows/build_executable.yml b/.github/workflows/build_executable.yml
@@ -136,7 +136,9 @@ jobs:
           # Main executable must be signed last after all its dependencies
           find dist/cycode-cli -type f ! -name "cycode-cli" | while read -r file; do
             if file -b "$file" | grep -q "Mach-O"; then
-              codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime "$file"
+              # override identifier to avoid framework-style identifiers (e.g. org.python.python)
+              # that cause --strict verification to expect a missing Info.plist
+              codesign --force --sign "$APPLE_CERT_NAME" --identifier "com.cycode.$(basename "$file")" --timestamp --options runtime "$file"
             fi
           done
 
@@ -176,15 +178,39 @@ jobs:
 
           # we can't staple the app because it's executable
 
-      - name: Test macOS signed executable
+      - name: Verify macOS code signatures
         if: runner.os == 'macOS'
         run: |
-          file -b $PATH_TO_CYCODE_CLI_EXECUTABLE
-          time $PATH_TO_CYCODE_CLI_EXECUTABLE version
+          # verify all Mach-O binaries in the output are properly signed
+          FAILED=false
+          while IFS= read -r file; do
+            if file -b "$file" | grep -q "Mach-O"; then
+              if ! codesign --verify --strict "$file" 2>&1; then
+                echo "INVALID signature: $file"
+                codesign -dv "$file" 2>&1 || true
+                FAILED=true
+              fi
+            fi
+          done < <(find dist/cycode-cli -type f)
+
+          if [ "$FAILED" = true ]; then
+            echo "Found binaries with invalid signatures!"
+            exit 1
+          fi
 
-          # verify signature
+          # verify main executable signature in detail
           codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE
 
+      - name: Test macOS signed executable (with quarantine)
+        if: runner.os == 'macOS'
+        run: |
+          # simulate downloading from the internet by adding quarantine attribute
+          # this triggers the same Gatekeeper/dlopen checks end users experience
+          find dist/cycode-cli -type f -exec xattr -w com.apple.quarantine "0081;$(printf '%x' $(date +%s));CI;$(uuidgen)" {} \;
+
+          file -b $PATH_TO_CYCODE_CLI_EXECUTABLE
+          time $PATH_TO_CYCODE_CLI_EXECUTABLE version
+
       - name: Import cert for Windows and setup envs
         if: runner.os == 'Windows'
         env:
diff --git a/process_executable_file.py b/process_executable_file.py
@@ -13,6 +13,7 @@
 import os
 import platform
 import shutil
+import subprocess
 from pathlib import Path
 from string import Template
 from typing import Union
@@ -140,6 +141,14 @@ def get_cli_archive_path(output_path: Path, is_onedir: bool) -> str:
     return os.path.join(output_path, get_cli_archive_filename(is_onedir))
 
 
+def archive_directory(input_path: Path, output_path: str) -> None:
+    if get_os_name() == 'darwin':
+        # use ditto on macOS to preserve code signature metadata
+        subprocess.run(['ditto', '-c', '-k', str(input_path), output_path], check=True)
+    else:
+        shutil.make_archive(output_path.removesuffix(f'.{_ARCHIVE_FORMAT}'), _ARCHIVE_FORMAT, input_path)
+
+
 def process_executable_file(input_path: Path, is_onedir: bool) -> str:
     output_path = input_path.parent
     hash_file_path = get_cli_hash_path(output_path, is_onedir)
@@ -150,7 +159,7 @@ def process_executable_file(input_path: Path, is_onedir: bool) -> str:
         write_hashes_db_to_file(normalized_hashes, hash_file_path)
 
         archived_file_path = get_cli_archive_path(output_path, is_onedir)
-        shutil.make_archive(archived_file_path, _ARCHIVE_FORMAT, input_path)
+        archive_directory(input_path, f'{archived_file_path}.{_ARCHIVE_FORMAT}')
         shutil.rmtree(input_path)
     else:
         file_hash = get_hash_of_file(input_path)
