indygreg
commented
10 months ago On further inspection the root cause of this delta was the reproduce script in #95 adding timestamp tokens to one entity when calling codesign but not the other.
I think our default behavior of adding timestamp tokens when adding CMS signatures is fine.
As found in #95.
Apple's code signing doesn't add time-stamp tokens on CMS signatures for some nested entities when bundle signing.
I'm not sure the rules here. Presence of the TSTs is probably harmless. But we would ideally follow the same rules as Apple.