I have an OSX application, and in the bundle's MacOS directory, I have an executable and a bunch of dylibs. The executable is, of course, pointed to by the Info.plist's CFBundleExecutable entry. When I try to sign it, codesign complains (as of 10.9) that my dylibs aren't signed, which makes sense. So I sign all of the dylibs, which I would think would let me sign the main executable now.
The problem is that I actually have a couple of data files in my MacOS dir, as well. The application is a cross-platform Qt application and the data files are localizations files that are found with respect to the main executable. codesign complains that it doesn't want to sign my main executable until the data files are signed.
Is this just a fundamentally wrong thing to be doing - putting anything that isn't mach-o into MacOS? Is signing those data files even a reasonable thing to do - ie like a .cat file on Windows? Clearly I wouldn't want codesign haphazardly slapping a digest hash on to the end of my data files.
Yes those data files should go into the Resources folder.
From the Bundle Programming Guide
MacOS (Required)
Contains the application’s standalone executable code. Typically, this directory contains only one binary file with your application’s main entry point and statically linked code. However, you may put other standalone executables (such as command-line tools) in this directory as well.
Resources
Contains all of the application’s resource files. This contents of this directory are further organized to distinguish between localized and nonlocalized resources. For more information about the structure of this directory, see “The Resources Directory”
Codesigning the data files won't change them; they are simply recorded in the _CodeSignature/CodeResources file.