build: deprecated arg usage in macOS deploy script #32486

issue fanquake opened this issue on May 13, 2025
  1. fanquake commented at 5:16 PM on May 13, 2025: member

    --deep has been deprecated for at least the last 2 major versions of macos:

    --deep (DEPRECATED for signing as of macOS 13.0) When signing a bundle. ...

    Given it's deprecated, I'd think that means we shouldn't actually need to use it. Assuming this also means it could be removed at some point, we should probably stop using it regardless. See our usage here:

    https://github.com/bitcoin/bitcoin/blob/8309a9747a8df96517970841b3648937d05939a3/contrib/macdeploy/macdeployqtplus#L497

  2. fanquake added the label Build system on May 13, 2025
  3. fanquake added the label Scripts and tools on May 13, 2025
  4. fanquake added the label macOS on May 13, 2025
  5. Sjors commented at 2:51 PM on March 24, 2026: member

    "This is almost never what you want." - Apple

    The full man codesign entry explains why it was removed, should inform any fix we apply:

         --deep  (DEPRECATED for signing as of macOS 13.0) When signing a bundle,
             specifies that nested code content such as helpers, frameworks,
             and plug-ins, should be recursively signed in turn.
             Beware:

             •   All signing options will be applied, in turn, to all nested
                 content. This is almost never what you want.

             •   Nested code content is a special term that only applies to
                 macOS style bundles with a Contents folder. Only bare Mach-Os
                 and well structured bundles qualify as nested code content.
                 Non-bundle directories in nested code content locations will
                 cause an error when signing. The codesign tool will only
                 discover nested code content in the following directories:

                 •   Contents

                 •   Contents/Frameworks

                 •   Contents/SharedFrameworks

                 •   Contents/PlugIns

                 •   Contents/Plug-ins

                 •   Contents/XPCServices

                 •   Contents/Helpers

                 •   Contents/MacOS

                 •   Contents/Library/Automator

                 •   Contents/Library/Spotlight

                 •   Contents/Library/LoginItems

             •   If any code (Mach-Os, bundles) are located outside the above
                 listed locations they will not be signed by the --deep option

             •   Using the --deep option on an iOS style bundle without a
                 Contents folder will not cause an error but will only sign
                 the main binary of the bundle.
             When verifying a bundle, this option specifies that any nested
             code content will be recursively verified as to its full content.
             By default, verification of nested content is limited to a
             shallow investigation that may not detect changes to the nested
             code.
             When displaying a signature, this option specifies that a list of
             directly nested code should be written to the display output.
             This lists only code directly nested within the subject; anything
             nested indirectly will require recursive application of the
             codesign command.
Contributors
fanquakeSjors
Labels
macOSBuild systemScripts and tools
Linked (view graph)
#33592 contrib: remove deprecated --deep signing from macdeployqtplus#34914 contrib: replace deprecated --deep codesign flag, fix accidental --verify skip on ci
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-02 12:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me