Is signing of shell script wrapping applications broken in OS X 10.11?

Question

Signing a .app that wraps a shell script using OS X 10.11 fails to verify on 10.10 or below. I can sign on 10.10 and 10.9 and it verifies on 10.9, 10.10 and 10.11.

I've put two example apps and a script on github to show this. The two HelloWorld.app's vary only in the binary in Contents/MacOS/HelloWorld. One is a shell script, the other is compiled objective-c.

Signing works and verifies on 10.11 for both versions:

Shell Script version:

codesign -s "${signing_identity}" -v shell-script/HelloWorld.app
signed bundle with generic [liamsharp.helloworld]

codesign -vv shell-script/HelloWorld.app
shell-script/HelloWorld.app: valid on disk
shell-script/HelloWorld.app: satisfies its Designated Requirement

Objective-C version:

codesign -s "${signing_identity}" -v objective-c/HelloWorld.app
signed bundle with Mach-O thin (x86_64) [liamsharp.helloworld]

codesign -vv objective-c/HelloWorld.app
objective-c/HelloWorld.app: valid on disk
objective-c/HelloWorld.app: satisfies its Designated Requirement

But the shell script version fails to verify on 10.10 and 10.9:

codesign -vv shell-script/HelloWorld.app
shell-script/HelloWorld.app: invalid signature (code or signature have been modified)

I've got access to another 10.11 machine and the same issue occurs when it signs .app's. I've got access to a 10.9 machine, and that also fails to verify.

There is a difference in the _CodeSignature directory produced for the shell script .app.

Here's how it is when signed on 10.10:

CodeDirectory
CodeRequirements
CodeResources
CodeSignature

But when signed on 10.11 we get some extra files:

CodeDirectory
CodeRequirements
CodeRequirements-1
CodeResources
CodeSignature
CodeTopDirectory

Is there a magic option I'm missing for codesign to allow this to work? Or is there a bug?

Answer 1

I've also had a response from Apple now, a different number to Graham though:

Engineering has determined that your bug report is a duplicate of another issue and will be closed.

Duplicate of 25457707 (Open)

Will post an update if/when I hear more. No further details provided on eta's for a fix, or even if its going to be fixed.

Update: This is now fixed in 10.11.5 - I didn't any indication from Apple, but now works after an upgrade.