Add Library/QuickLook to the list of code resource bundles
#161
Conversation
Otherwise rcodesign signs QuickLook plugins twice!
|
I'm not really sure that is a correct fix, because this rule is missing from a package signed by normal codesign (from its CodeResources file). But at least it prevents rcodesign signing the package twice. Here is an example package that fails to be signed by rcodesign because of this issue: |
|
Interesting. Thanks for submitting this change. So you are saying that Nested bundle signing has historical been a bit fragile in this project. See the release notes for various examples and links. I'm willing to bet this is yet another bug around how nested bundles are identified and signed. I'd like to understand this issue more before acting on this PR. |
It is a bit more complicated than it sounds. codesign does not include this directory in the rule, but we don't use nested code signing with codesign. We are currently transitioning from manual non-nested codesign with a script to a CI-sabes system that uses rcodesign, so we had to switch to nested signing...
It is possible that codesign has an exception for "Quicklook" to detect it as a bundle, but doesn't write that into XML? (I'm not experienced in the MacOS-based development, so I don't fully understand all these issues with nested signing) |
If an application has a quicklook plugin in
Library/QuickLooklocation, then rcodesign signs the plugin twice, first as a bundle, and then as a standalone binary again. It makes the signature invalid (missing resources) and fails the following notarization process.I used the example of
Library/Spotlightplugin to make an exception for QuickLook.