From 46ed28e95e4b983f0e3eec72fc09635c6a69ffe4 Mon Sep 17 00:00:00 2001 From: Valentino Zegna Date: Sat, 18 Apr 2026 16:50:44 -0700 Subject: [PATCH] ci: strip Bun's ad-hoc signatures before lipo in release workflow Bun >= 1.3 embeds an ad-hoc Mach-O signature in compiled binaries. When lipo -create concatenates two already-signed single-arch binaries into a universal fat binary, the resulting CodeDirectory slots are inconsistent, and `codesign --force` later fails with: pdf-analyzer-darwin-universal: invalid or unsupported format for signature This broke the v1.2.3 release run. Fix by calling `codesign --remove-signature` on each single-arch binary before lipo, so the universal binary starts unsigned and is cleanly signed by the next step. --- .github/workflows/release.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a68878..aca3861 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,6 +49,13 @@ jobs: bun build --compile --minify --target=bun-linux-x64 --define BUILD_VERSION="\"$VERSION\"" src/index.ts --outfile bin/pdf-analyzer-linux-x64 bun build --compile --minify --target=bun-windows-x64 --define BUILD_VERSION="\"$VERSION\"" src/index.ts --outfile bin/pdf-analyzer-windows-x64.exe + # Strip Bun's embedded ad-hoc signatures from each arch binary before + # lipo. Without this, `lipo -create` produces a fat binary whose + # signature slots are inconsistent and `codesign --force` later fails + # with "invalid or unsupported format for signature". + codesign --remove-signature bin/pdf-analyzer-darwin-arm64 + codesign --remove-signature bin/pdf-analyzer-darwin-x64 + # Create macOS universal binary lipo -create bin/pdf-analyzer-darwin-arm64 bin/pdf-analyzer-darwin-x64 \ -output bin/pdf-analyzer-darwin-universal