build: deprecated arg usage in macOS deploy script #32486

issue fanquake openend this issue on May 13, 2025
  1. fanquake commented at 5:16 pm on May 13, 2025: member

    --deep has been deprecated for at least the last 2 major versions of macos:

    –deep (DEPRECATED for signing as of macOS 13.0) When signing a bundle. …

    Given it’s deprecated, I’d think that means we shouldn’t actually need to use it. Assuming this also means it could be removed at some point, we should probably stop using it regardless. See our usage here:

    https://github.com/bitcoin/bitcoin/blob/8309a9747a8df96517970841b3648937d05939a3/contrib/macdeploy/macdeployqtplus#L497

  2. fanquake added the label Build system on May 13, 2025
  3. fanquake added the label Scripts and tools on May 13, 2025
  4. fanquake added the label macOS on May 13, 2025
  5. Sjors commented at 2:51 pm on March 24, 2026: member

    “This is almost never what you want.” - Apple

    The full man codesign entry explains why it was removed, should inform any fix we apply:

     0     --deep  (DEPRECATED for signing as of macOS 13.0) When signing a bundle,
 1             specifies that nested code content such as helpers, frameworks,
 2             and plug-ins, should be recursively signed in turn.
 3             Beware:
 4
 5                All signing options will be applied, in turn, to all nested
 6                 content. This is almost never what you want.
 7
 8                Nested code content is a special term that only applies to
 9                 macOS style bundles with a Contents folder. Only bare Mach-Os
10                 and well structured bundles qualify as nested code content.
11                 Non-bundle directories in nested code content locations will
12                 cause an error when signing. The codesign tool will only
13                 discover nested code content in the following directories:
14
15                    Contents
16
17                    Contents/Frameworks
18
19                    Contents/SharedFrameworks
20
21                    Contents/PlugIns
22
23                    Contents/Plug-ins
24
25                    Contents/XPCServices
26
27                    Contents/Helpers
28
29                    Contents/MacOS
30
31                    Contents/Library/Automator
32
33                    Contents/Library/Spotlight
34
35                    Contents/Library/LoginItems
36
37                If any code (Mach-Os, bundles) are located outside the above
38                 listed locations they will not be signed by the --deep option
39
40                Using the --deep option on an iOS style bundle without a
41                 Contents folder will not cause an error but will only sign
42                 the main binary of the bundle.
43             When verifying a bundle, this option specifies that any nested
44             code content will be recursively verified as to its full content.
45             By default, verification of nested content is limited to a
46             shallow investigation that may not detect changes to the nested
47             code.
48             When displaying a signature, this option specifies that a list of
49             directly nested code should be written to the display output.
50             This lists only code directly nested within the subject; anything
51             nested indirectly will require recursive application of the
52             codesign command.


fanquake Sjors

Labels
macOS Build system Scripts and tools

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-12 09:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me