In testing for the mac signing work QA discovered that removed-files was changing in an update and that was invalidating the bundle signing. While that file is now excluded from the manifest, we can add a check to update verify which ensures old release + mar file still has a valid signature.

Untested patch in https://github.com/bhearsum/tools/compare/master...codesign-verify

It's notable that this check is useless unless done on 10.7, but that should be OK as Beta will be using 10.7 build machines after June 4th/5th

Here's a patch that can be used to implement this. Unfortunately, the version of Xcode on our 10.7 machines is too old to validate these builds. I suspect it's because we have Xcode 4.2 on the signing machines and 4.1 on the 10.7 pool. The cost of upgrading Xcode on the 10.7 pool is high, more than the benefits IMO, so I think we should wait until we have a 10.8 pool or another reason to update Xcode before we do this.

This should get looked at again when we have a 10.8 pool.

Does codesign have any/many deps ? If not, could we rip what we need out of 4.2 and puppet install them on the 10.7 builders ?

I hadn't considered that. I don't know what kind of deps it has, but it's worth a try!

I tried replacing the codesign binary on a lion r5 slave with the one from mac-signing3. Doing that didn't change the results. I suspect that 'codesign' is just a shim around some libraries that ship with Xcode. I don't think it will be a great use of our time to try and replace those.

I think this got fixed along the way in the new TC world, where we build and sign in separate workers/steps. Closing this for now but feel free to reopen if I'm wrong.