Try codesign without --deep, which is considered harmful

.ci/package-mac.sh

@@ -31,10 +31,12 @@ cp -rf "$SCHEMA_DIR/"* SharedSupport
 popd
 
 # Resign the application
-codesign --sign "Developer ID Application: $APPLE_DEVELOPER_NAME ($APPLE_DEVELOPER_TEAM_ID)" --timestamp --deep --force --options runtime --preserve-metadata=identifier,entitlements Squirrel.app
+for binary in $(codesign -v -vv --deep --strict Squirrel.app | sed -n 's/^--validated://p') Squirrel.app; do
+  codesign --sign "Developer ID Application: $APPLE_DEVELOPER_NAME ($APPLE_DEVELOPER_TEAM_ID)" --timestamp --force --options runtime --preserve-metadata=identifier,entitlements "$binary"
 
-# Resign the binaries inside the application
-codesign --sign "Developer ID Application: $APPLE_DEVELOPER_NAME ($APPLE_DEVELOPER_TEAM_ID)" --timestamp --deep --force --options runtime --preserve-metadata=identifier,entitlements Squirrel.app/Contents/MacOS/*
+  # Verify
+  codesign -v -vv --deep --strict "$binary"
+done
 
 # Compress back the application
 find Squirrel.app | cpio -o | gzip -c > Payload