Code Signing Woes

Code signing never goes right for me. I feel like I have a pretty simple process:

1. Export
2. Sign with Xcode
3. Make and sign a DMG
4. Throw it up on a server
5. Download it for testing

6. 

7. 🤬

The next obvious step to to Google for the correct incantations of codesign¹ and spctl² to verify that nothing was corrupted during the upload or download. Occasionally I'll find an error, but usually the app bundle passes without issue.

As it happens, however, the error message is a little misleading. The files on disk are in fact correct, however at runtime the application runs afoul of Gatekeeper. Looking in Console reveals the true culprit:

File /Volumes/Capturebot/Capturebot.app/Contents/Frameworks/CaptureOneScripting.framework/Versions/A/CaptureOneScripting failed on rPathCmd /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/macosx/ImageMetadata.framework/Versions/A/ImageMetadata

The application is attempting to load a file from outside of its bundle. In this case, a framework built with Swift Package Manager is linked against Xcode's Swift library rather than the bundled copy.

The fix is straight forward. A quick trip to Build Settings to add @executable_path/../Frameworks to Runtime Search Paths resolves the problem.