fix: only re-sign nested binaries, preserve MAUI Catalyst signature (#564)

Stop re-signing the top-level .app bundle. MAUI already signs it with
the correct Mac Catalyst entitlements (including
application-identifier). Our manual re-sign was overwriting these with a
format Apple rejects.

Now only nested binaries are re-signed: copilot (with helper
entitlements), dylibs, and frameworks. The app bundle keeps its original
MAUI signature.

Also removes the application-identifier injection step which caused the
catch-22.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jfversluis

.github/workflows/release-apps.yml

@@ -278,37 +278,16 @@ jobs:
             echo "CFBundleIdentifier already uses base ID: $CURRENT_ID"
           fi
 
-      - name: Inject application-identifier into entitlements
-        run: |
-          # Extract application-identifier and team-identifier from provisioning profile.
-          # codesign doesn't auto-inject these (Xcode does); we must include them in entitlements.
-          PROFILE_PLIST=$(security cms -D -i "$RUNNER_TEMP/maccatalyst.provisionprofile")
-          APP_ID=$(echo "$PROFILE_PLIST" | /usr/libexec/PlistBuddy -c "Print :Entitlements:com.apple.application-identifier" /dev/stdin)
-          TEAM_ID=$(echo "$PROFILE_PLIST" | /usr/libexec/PlistBuddy -c "Print :Entitlements:com.apple.developer.team-identifier" /dev/stdin)
-          echo "Profile application identifier: $APP_ID"
-          echo "Team identifier: $TEAM_ID"
-
-          # The profile uses maccatalyst-prefixed ID (e.g., AY5KBJ6RN9.maccatalyst.nl.versluis.polypilot)
-          # but Apple requires TEAMID.bundleID format (e.g., AY5KBJ6RN9.nl.versluis.polypilot).
-          # Strip the maccatalyst. prefix to match the patched CFBundleIdentifier.
-          APP_ID=$(echo "$APP_ID" | sed "s/${TEAM_ID}\.maccatalyst\./${TEAM_ID}./")
-          echo "Patched application identifier: $APP_ID"
-
-          ENTITLEMENTS="PolyPilot/Platforms/MacCatalyst/Entitlements.AppStore.plist"
-          /usr/libexec/PlistBuddy -c "Add :com.apple.application-identifier string $APP_ID" "$ENTITLEMENTS" 2>/dev/null || \
-            /usr/libexec/PlistBuddy -c "Set :com.apple.application-identifier $APP_ID" "$ENTITLEMENTS"
-          /usr/libexec/PlistBuddy -c "Add :com.apple.developer.team-identifier string $TEAM_ID" "$ENTITLEMENTS" 2>/dev/null || \
-            /usr/libexec/PlistBuddy -c "Set :com.apple.developer.team-identifier $TEAM_ID" "$ENTITLEMENTS"
-          echo "Updated entitlements:"
-          cat "$ENTITLEMENTS"
-
-      - name: Re-sign app bundle (inside-out)
+      - name: Re-sign nested binaries only (preserve MAUI's Catalyst signature)
         env:
           CODESIGN_KEY: ${{ secrets.IOS_CODESIGN_KEY }}
         run: |
           APP_PATH=$(find PolyPilot/bin/Release/net10.0-maccatalyst -name "PolyPilot.app" -type d | head -1)
           echo "App path: $APP_PATH"
 
+          echo "=== Original app signature ==="
+          codesign -d --entitlements - "$APP_PATH" 2>/dev/null | head -30
+
           # Sign the copilot CLI binary with minimal helper entitlements (sandbox + inherit)
           COPILOT_BIN="$APP_PATH/Contents/MonoBundle/copilot"
           if [ -f "$COPILOT_BIN" ]; then
@@ -335,11 +314,9 @@ jobs:
               --sign "$CODESIGN_KEY" "$f"
           done
 
-          # Re-sign the top-level app bundle with full app entitlements
-          codesign --force --sign "$CODESIGN_KEY" \
-            --entitlements PolyPilot/Platforms/MacCatalyst/Entitlements.AppStore.plist \
-            --options runtime --timestamp \
-            "$APP_PATH"
+          # Do NOT re-sign the top-level .app bundle — MAUI's original Catalyst
+          # signature contains the correct application-identifier entitlement format.
+          # Re-signing with custom entitlements overwrites it and breaks validation.
 
           echo "=== Verify signature ==="
           codesign --verify --deep --strict "$APP_PATH" 2>&1