Hi, Mac developers,
Can anyone tell me what the exact rules are for symlinks inside signed apps? And how to get app signing to succeed for app bundles that contain symlinks? My signed app is getting rejected due to "invalid symlink destination", and I can't figure out why.
I am attempting to build a signed app version of GNU Octave. This app bundle contains several symlinks (about 6,500). All the symlinks have relative-path targets that point to other files inside the app bundle.
When I sign the app and then verify it, it gets rejected:
$ spctl -vvvv -a -t open --context context:primary-signature /Applications/Octave-4.4.0.app
/Applications/Octave-4.4.0.app: rejected (invalid destination for symbolic link in bundle)
origin=Developer ID Application: Andrew Janke (R7H2BFWJAB)
Replacing the symlinks with absolute-path symlinks did not fix it.
Removing all the symlinks by replacing them with copies of their targets does fix the problem and allow the app to validate. But this is untenable because it explodes the app bundle size to 7 GB.
$ spctl -vvvv -a -t open --context context:primary-signature /Applications/Octave-4.4.0.app
/Applications/Octave-4.4.0.app: accepted
source=Developer ID
origin=Developer ID Application: Andrew Janke (R7H2BFWJAB)
This is an open source project, so if you're interested, you can see the entire build system here: https://github.com/octave-app/octave-app-bundler
Bug report for this issue: https://github.com/octave-app/octave-app-bundler/issues/34
Any ideas?
Thanks,
Andrew