From ab6cea84ea51d2fbdaabe837bcd11cd58b5353d9 Mon Sep 17 00:00:00 2001
From: graphemecluster <graphemecluster@gmail.com>
Date: Wed, 18 Dec 2024 04:30:39 +0800
Subject: [PATCH] Try `codesign` without `--deep`, which is considered harmful

---
 .ci/package-mac.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.ci/package-mac.sh b/.ci/package-mac.sh
index be81f64..6424e03 100644
--- a/.ci/package-mac.sh
+++ b/.ci/package-mac.sh
@@ -31,10 +31,12 @@ cp -rf "$SCHEMA_DIR/"* SharedSupport
 popd
 
 # Resign the application
-codesign --sign "Developer ID Application: $APPLE_DEVELOPER_NAME ($APPLE_DEVELOPER_TEAM_ID)" --timestamp --deep --force --options runtime --preserve-metadata=identifier,entitlements Squirrel.app
+for binary in $(codesign -v -vv --deep --strict Squirrel.app | sed -n 's/^--validated://p') Squirrel.app; do
+  codesign --sign "Developer ID Application: $APPLE_DEVELOPER_NAME ($APPLE_DEVELOPER_TEAM_ID)" --timestamp --force --options runtime --preserve-metadata=identifier,entitlements "$binary"
 
-# Resign the binaries inside the application
-codesign --sign "Developer ID Application: $APPLE_DEVELOPER_NAME ($APPLE_DEVELOPER_TEAM_ID)" --timestamp --deep --force --options runtime --preserve-metadata=identifier,entitlements Squirrel.app/Contents/MacOS/*
+  # Verify
+  codesign -v -vv --deep --strict "$binary"
+done
 
 # Compress back the application
 find Squirrel.app | cpio -o | gzip -c > Payload