fix(scripts): rebuild DMG with signed .app after notarizing — fixes notarize Invalid#59
Merged
Conversation
…otarize Invalid
Root cause: Tauri's bundle_dmg.sh ran in step 1 and baked an UNSIGNED .app
into the DMG. Signing the DMG container alone doesn't help — Apple
notarization unpacks the DMG and re-verifies every binary inside, so it
saw an unsigned binary and rejected with statusSummary "Archive contains
critical validation errors".
Fix: after signing + notarizing + stapling the standalone .app, REBUILD
the DMG from scratch (hdiutil create with the now-signed .app), then
sign + notarize + staple the new DMG.
Verified end-to-end:
· DeepCode.app → accepted, source=Notarized Developer ID ✓
· DeepCode_0.1.0_aarch64.dmg → accepted, source=Notarized Developer ID ✓
· Authority chain: Bihao Wang (9LH9NBX7P4) → Apple Root CA ✓
release-artifacts/:
· DeepCode-0.1.0-arm64.dmg (4.7 MB) — signed + notarized + stapled
· Replaces the previous -unsigned.dmg
· README.md updated: removed Gatekeeper-bypass section, added
spctl/codesign verification commands
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tauri's bundle_dmg.sh bakes the unsigned .app into the DMG before we sign it. Just signing the DMG container doesn't help — Apple notarization unpacks it and re-verifies binaries inside. Fix: rebuild the DMG with hdiutil after signing the .app. End-to-end verified: both .app and .dmg notarized + stapled + spctl-accepted.