indygreg
commented
10 months ago On further examination, I think we're doing the right thing and the reproduce case in #95 was misleading because it was resigning a Mach-O with embedded entitlements. codesign doesn't preserve the entitlements unless you add --preserve-metadata=entitlements. But rcodesign does preserve the entitlements by default.
Once I added --preserve-metadata=entitlements to the command arguments, there were no remaining entitlements differences.
As found in #95. Our bundle signing appears to be copying an entitlements plist and embedded it in nested entities way too aggressively.