Closed indygreg closed 10 months ago
On further inspection the root cause of this delta was the reproduce script in #95 adding timestamp tokens to one entity when calling codesign
but not the other.
I think our default behavior of adding timestamp tokens when adding CMS signatures is fine.
As found in #95.
Apple's code signing doesn't add time-stamp tokens on CMS signatures for some nested entities when bundle signing.
I'm not sure the rules here. Presence of the TSTs is probably harmless. But we would ideally follow the same rules as Apple.