CM-53930: fix onedir signing issues on mac

Author: gotbadger

.github/workflows/build_executable.yml

@@ -176,15 +176,35 @@ jobs:
 
           # we can't staple the app because it's executable
 
+      - name: Verify macOS code signatures
+        if: runner.os == 'macOS'
+        run: |
+          # verify all Mach-O binaries in the output are properly signed
+          FAILED=false
+          while IFS= read -r file; do
+            if file -b "$file" | grep -q "Mach-O"; then
+              if ! codesign --verify --strict "$file" 2>/dev/null; then
+                echo "INVALID signature: $file"
+                codesign -dv "$file" 2>&1 || true
+                FAILED=true
+              fi
+            fi
+          done < <(find dist/cycode-cli -type f)
+
+          if [ "$FAILED" = true ]; then
+            echo "Found binaries with invalid signatures!"
+            exit 1
+          fi
+
+          # verify main executable signature in detail
+          codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE
+
       - name: Test macOS signed executable
         if: runner.os == 'macOS'
         run: |
           file -b $PATH_TO_CYCODE_CLI_EXECUTABLE
           time $PATH_TO_CYCODE_CLI_EXECUTABLE version
 
-          # verify signature
-          codesign -dv --verbose=4 $PATH_TO_CYCODE_CLI_EXECUTABLE
-
       - name: Import cert for Windows and setup envs
         if: runner.os == 'Windows'
         env: