From ba0e03d0741229de43355976907c35d254b08d79 Mon Sep 17 00:00:00 2001
From: "alexey.lysiuk" <alexey.lysiuk@gmail.com>
Date: Tue, 5 Jan 2021 10:47:08 +0200
Subject: [PATCH] build script: code sign on executable outside of application
 bundle

---
 build.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/build.py b/build.py
index c4843bc2..04062836 100755
--- a/build.py
+++ b/build.py
@@ -1917,11 +1917,10 @@ class Builder(object):
             args += ['-create', '-output', dst_file]
             subprocess.check_call(args)
 
-            # TODO: check if ad-hoc code signing is really needed
-            # See https://github.com/Homebrew/brew/commit/e945b1c42ab44feb1c6814f47cc833d76b1a921c
-            # if is_executable:
-            #     args = ('codesign', '--sign', '-', dst_file)
-            #     subprocess.check_call(args)
+            # Apply ad-hoc code signing on executable files outside of application bundles
+            if is_executable and '.app/Contents/' not in src.path:
+                args = ('codesign', '--sign', '-', dst_file)
+                subprocess.check_call(args)
         else:
             if not Builder._compare_files(src_sub_paths):
                 print(f'WARNING: Source files for {dst_path + os.sep + src.name} don\'t match')