ci(macos): fix signing mismatch

.gitea/workflows/build-macos.yml

@@ -172,6 +172,25 @@ jobs:
           # on aarch64 (cidre's ScreenCaptureKit bindings target arm64-only APIs).
           python3 build.py --flutter --hwcodec --unix-file-copy-paste
 
+          # Ad-hoc re-sign the whole bundle in one pass.
+          # `flutter build macos --release` ad-hoc signs the main binary, but
+          # FlutterMacOS.framework already carries its own ad-hoc signature
+          # from Flutter's engine artifacts. dyld on Apple Silicon (macOS 13+)
+          # enforces Team ID match between the main process and every loaded
+          # framework -- two ad-hoc signatures from different signing passes
+          # have different per-binary cdhashes and fail the check, producing
+          # `mapping process and mapped file have different Team IDs` at
+          # launch time on M-series Macs. `codesign --deep --sign -` re-signs
+          # every nested binary/framework/dylib with the same ad-hoc identity
+          # in one pass, so all components share a consistent signing context.
+          # When we wire up real Developer ID + notarization later, replace
+          # `-` with the cert identity and drop --deep in favor of inside-out
+          # signing.
+          codesign --force --deep --sign - \
+            ./flutter/build/macos/Build/Products/Release/RustDesk.app
+          codesign --verify --deep --strict --verbose=2 \
+            ./flutter/build/macos/Build/Products/Release/RustDesk.app
+
           mkdir -p ./SignOutput
           # Use hdiutil (not create-dmg) because the runner is a LaunchDaemon
           # with no GUI/Finder session. create-dmg drives Finder via AppleScript