The issue is that codesign can not verify a signed app, it says that the Info.plist file has been modified, when in fact, it hasn't. I've even checked with sha256sum
the file pre and post signing.
https://objective-see.com/products/whatsyoursign.html returns error code -67030
which, according to https://eclecticlight.co/2019/06/28/a-primer-on-code-signing-errors/ is due to
invalid Info.plist, because the Info.plist file or its signature have been modified. That should never occur, and merits a close look to check what has happened. Although this property list is readily readable, its contents are complex and detecting deliberate tampering may not be easy.
Thing is, i've not modified the app in any way, I just sign it and then immediately check it's signature.
The application is a smalltalk vm found here: https://github.com/feenkcom/opensmalltalk-vm in the default branch. to compile it one must
cmake .
make
make install
make package
and then in build/packages
the first zip will contain Pharo.app
I unzip it and then run
codesign --force -v --options=runtime --deep --timestamp --file-list - -s $SIGNING_IDENTITY Pharo.app
this works but then, if i run
codesign --verify --strict --verbose=2 Pharo.app
i get lots of validated libraries (that is good) by also the error message that is also in the title invalid Info.plist (plist or signature have been modified)
Any hints appreciated.
The issue was that codesign could not handle executable names starting with uppercase letters.
Once I changed the executable name to pharo
instead of Pharo, it worked like magic.