fix: properly raise error if macOS codesign - ing fails

[wolfv]

@zbowling unfortunately, conda-forge ships and uses sigtool which advertises itself as codesign as well, but does not support these extra options.

My current idea is to:

• use extra options if /usr/bin/codesign is the codesign
• not use extra options if we find codesign somewhere else

Unfortunately neither sigtool "codesign" nor codesign have a --version that we could use easily.

Their --help outputs do look differnet though, so we could also use that as indicator.

Or we could first try with the extra args, and if it fails, fall back ...

Happy to hear other thoughts. Also pinging @minrk who uncovered all of this.

[zbowling]

Oh wowwa! Is this implementation? https://github.com/thefloweringash/sigtool ?

Another way to fix this, and it's where I started before I went down this path, was to rather pass entitlements from the yaml all the way down explicitly. I have a branch where I was working on that. It's unfortunate because it makes rattler-build more aware of details done by lower level build systems but it would work for sigtool and codesign since they both seem to take an explicit plist for entitlements.

[wolfv]

@zbowling do you happen to know if Apple's codesign has supported these extra arguments for a long time?

[zbowling]

@wolfv --preserve-metadata= has been supported since 10.9 at least so 12+ years at least.

[minrk]

confirming this works for me, and if I force it to use sigtool with the unsupported arg, I get the expected signing failure:

Running codesign: "/Users/minrk/conda/conda-bld/bld/rattler-build_test-relink_1741771957/build_env/bin/codesign" "-f" "-s" "-" "--preserve-metadata=entitlements,requirements" "/var/folders/qr/3vxfnp1x2t1fw55dr288mphc0000gn/T/test-relinkN6U4iT/lib/librelative.dylib"
2025-03-12T09:32:49.556226Z ERROR Running build for{recipe="test-relink-0.0.0-h9dcc729_0"}:Packaging new files: rattler_build::macos::link: codesign failed with status exit status: 109.
  stdout:
  stderr: The following argument was not expected: --preserve-metadata=entitlements,requirements
Run with --help for more information.

Error:   × Codesign failed

[wolfv]

@minrk - just to double check - you manually moved sigtool to /usr/bin/codesign? Because with these changes we should detect if codesign comes from /usr/bin -> use extended arguments - otherwise we should always use the simple args.

[minrk]

Almost. I didn't modify the system, but I disabled the if is_system_codesign check so the arg is always added to make it fail.