fix: make embed-runner-icon post-action work on device & sim builds

harsha509 · claude · harsha509 · commit 3cfdd077c837 · 2026-05-20T22:11:54.000-04:00
The icon-embed post-action re-codesigns the Runner.app after modifying
it. Two bugs in the identity-discovery step were caught running the PR
test plan on a real device:

- Piping `codesign -dvv` straight into `awk '... exit'` makes awk close
  the pipe early, killing codesign with SIGPIPE. With `set -o pipefail`
  that became a fatal error and failed the whole build. It triggered
  whenever an Authority line exists -- i.e. every real-device build.
  Simulator builds dodged it only because their ad-hoc signature has no
  Authority line. Fix: capture codesign output once into a variable and
  parse from the string, so no live pipe can be broken.

- Simulator builds are ad-hoc signed (no Authority line), so no identity
  was discovered and the bundle was left with a stale signature that
  failed `codesign --verify`. Fix: fall back to an ad-hoc identity ("-")
  when the bundle reports `Signature=adhoc`.

Verified on iOS simulator and a real device: build succeeds, post-action
runs, and `codesign --verify --deep --strict` reports the Runner.app as
valid.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Scripts/embed-runner-icon.sh b/Scripts/embed-runner-icon.sh
@@ -62,10 +62,19 @@ PLIST="$RUNNER_APP/Info.plist"
 # In a scheme post-action context Xcode's CODE_SIGN_* env vars are not exposed,
 # so discover the existing signing identity from the already-signed bundle.
 if [ -d "$RUNNER_APP/_CodeSignature" ]; then
+    # Capture the signature info once. Piping codesign straight into
+    # `awk ... exit` makes awk close the pipe early, killing codesign with
+    # SIGPIPE -- which `set -o pipefail` turns into a fatal error. That trips
+    # only when an Authority line exists, i.e. on every real-device build.
+    SIGN_INFO=$(codesign -dvv "$RUNNER_APP" 2>&1 || true)
     EXISTING_IDENT="${EXPANDED_CODE_SIGN_IDENTITY:-}"
     if [ -z "$EXISTING_IDENT" ]; then
-        EXISTING_IDENT=$(codesign -dvv "$RUNNER_APP" 2>&1 \
-            | awk -F'=' '/^Authority/ {print $2; exit}')
+        EXISTING_IDENT=$(awk -F'=' '/^Authority/ {print $2; exit}' <<< "$SIGN_INFO")
+    fi
+    # Simulator builds are ad-hoc signed: there is no Authority line, but the
+    # bundle can still be re-signed ad-hoc with an identity of "-".
+    if [ -z "$EXISTING_IDENT" ] && grep -q '^Signature=adhoc' <<< "$SIGN_INFO"; then
+        EXISTING_IDENT="-"
     fi
     if [ -n "$EXISTING_IDENT" ]; then
         codesign --force --sign "$EXISTING_IDENT" \
