From 8b7bd37829da9ef687b24e803dd2aab3ac03afef Mon Sep 17 00:00:00 2001 From: Mike Mueller Date: Wed, 6 May 2026 12:30:01 +0200 Subject: [PATCH] ci(macos): fix signing mismatch --- .gitea/workflows/build-macos.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.gitea/workflows/build-macos.yml b/.gitea/workflows/build-macos.yml index c7e5ac077..9f169d08c 100644 --- a/.gitea/workflows/build-macos.yml +++ b/.gitea/workflows/build-macos.yml @@ -172,6 +172,25 @@ jobs: # on aarch64 (cidre's ScreenCaptureKit bindings target arm64-only APIs). python3 build.py --flutter --hwcodec --unix-file-copy-paste + # Ad-hoc re-sign the whole bundle in one pass. + # `flutter build macos --release` ad-hoc signs the main binary, but + # FlutterMacOS.framework already carries its own ad-hoc signature + # from Flutter's engine artifacts. dyld on Apple Silicon (macOS 13+) + # enforces Team ID match between the main process and every loaded + # framework -- two ad-hoc signatures from different signing passes + # have different per-binary cdhashes and fail the check, producing + # `mapping process and mapped file have different Team IDs` at + # launch time on M-series Macs. `codesign --deep --sign -` re-signs + # every nested binary/framework/dylib with the same ad-hoc identity + # in one pass, so all components share a consistent signing context. + # When we wire up real Developer ID + notarization later, replace + # `-` with the cert identity and drop --deep in favor of inside-out + # signing. + codesign --force --deep --sign - \ + ./flutter/build/macos/Build/Products/Release/RustDesk.app + codesign --verify --deep --strict --verbose=2 \ + ./flutter/build/macos/Build/Products/Release/RustDesk.app + mkdir -p ./SignOutput # Use hdiutil (not create-dmg) because the runner is a LaunchDaemon # with no GUI/Finder session. create-dmg drives Finder via AppleScript