Xcode 15.3 Archive and Direct Distribution of App fails during notarization: The signature of the binary is invalid / unsealed contents in root dir

Question

• I have a macOS swift app that I ship via Archive / Direct Distribution / Export App (sign with Developer ID Certificate) -> Use notarytool within DMGCanvas.
• The app depends on a swift package that includes an XCFramework, that I build with gomobile bind.
• The notarytool returns: The signature of the binary is invalid
• The codesign verification command returns: unsealed contents present in the root directory of an embedded framework
• Before Xcode 15.3, this process was working as expected. The internal XCFramework wasn't preventing the app from being stopped by Gatekeeper with unsealed contents. I have not made any changes to this pipeline other than upgrade to Xcode 15.3 from 15.2

Core Issue: how does a code signed XCFramework added to a macOS app that is also code signed and ready for distribution, produce the error: The signature of the binary is invalid

Answer 1

Problem: The Framework directory had an extraneous Info.plist file included in its directory. Apple Docs mention:

The framework’s root must contain only the Versions directory and symlinks. Don’t place any other content there. Doing so causes code-signing problems.

Solution: remove the Info.plist in the macOS Framework root (this is not the same as the Info.plist that resides in the XCFramework root; keep that one). Once removed, Xcode codesign no longer throws an error.

Conclusion: Follow Apple's instructions regarding XCFramework generation.

Context of my workflow here, just in case anyone is curious