My AppleScript .app bundle contains a helper executable. Table 3 of TN2206 says that executables may be in either Contents/MacOS or Contents/Helpers, but Quinn's first reply in this post says that Contents/MacOS is better. So I put the helper in Contents/MacOS, alongside applet.
I sign the AppleScript .app bundle for Developer ID and Hardened Runtime by running the codesign command with arguments recommended by Quinn in this post.
Result: Notary Service rejects the .app bundle due to 3 issues with the helper:
- is not signed with a valid Developer ID certificate
- does not include a secure timestamp
- does not have the hardened runtime enabled
(Possibly it still has a years-old signature without Developer ID and Hardened Runtime).
So it seems that the the helper is not being (re-)signed.
If, instead of signing the .app bundle, I run Quinn's codesign comand twice, once on the applet and once on the second executable, then Notary Service is happy with the bundle.
I was hoping that, after all these years, codesign is now smart enough to find and sign all of the executables inside a bundle.
Both executables are x86_64 non-fat (I guess I should fatten those) and I have installed Xcode 15.1 Beta.
Should I file a bug, or am I doing something wrong?
