Executive summary: signatures are filesystem semantics, not just bytes
Modern Apple pipelines treat a signed .app as a structured directory with nested code, resources, and metadata that must remain internally consistent. Tools that treat the bundle as a loose collection of files may still copy every byte yet destroy the graph that codesign validates. The symptom on user machines is Gatekeeper messaging that sounds like malware, when the underlying issue is packaging hygiene.
Engineering teams that centralize builds on a remote Mac often optimize compile farms first and only later discover that artifact motion is where regressions hide. The fix is not more aggressive hashing alone. You must pair cryptographic manifests with signature verification after each hop, because a tarball can preserve bytes while still being unpacked with tools that rewrite permissions.
Same-platform rsync can retain POSIX permissions and many extended attributes when flags are explicit, which makes it attractive for moving trees between two Mac build agents. Cross-platform motion that includes a Linux runner should default to tar.gz created on macOS so symlink targets survive as archive members rather than being expanded prematurely. Never assume GitHub Actions upload-artifact semantics match Finder drag-and-drop expectations, and pin the action major version because symlink handling still shifts between releases. When reviewers cannot agree, tarball first and upload one blob so downstream jobs cannot reinterpret directory trees.
Release semantics remain unchanged: writers land under releases/<build_id>/, automation promotes only after manifests pass, and public symlinks swap atomically. Signature work does not replace that discipline; it complements it. When throughput is the primary bottleneck before you worry about signatures, read the WAN guide first, then return here for semantic preservation.
Compliance reviewers increasingly ask which machine touched signing keys and which machine exported customer-visible binaries. Capture submission identifiers from notarytool alongside git sha and Xcode build numbers so audit trails remain legible six months later.
Runbooks should also state who may run ad-hoc ditto or cp -R commands on build shares. Informal copies bypass the tarball discipline that keeps symlinks intact. When marketing requests a last-minute re-zipped demo, route the request through the same automation that produces beta builds so verification stays attached to the artifact.
Finally, educate support teams that Gatekeeper errors after download may be packaging regressions rather than malware. First-line triage can run verify commands locally before escalating security incidents, saving cross-functional time.
Pain decomposition: five classes of silent breakage
Flattened bundles. Graphical zip utilities and some cloud sync engines rebuild directories without restoring macOS-specific metadata. The application may look intact in a file browser yet fail deep verification because nested helpers lost executable bits.
Linux intermediate storage. Pipelines that upload directories from macOS runners to Linux jobs frequently break signatures when symlinks are dereferenced or when permission bits cannot be represented. Tar avoids dereference until you explicitly request it.
In-place rsync to live trees. Using --inplace against directories that users can download mid-transfer exposes partial bundles. Pair rsync with staging prefixes and atomic pointer swaps as described in the atomic release article.
Staple drift. Teams sometimes staple a disk image, then recompress or rewrap it for distribution. The ticket attached to Apple's notarization service may no longer match the bytes users download. Treat stapled artifacts as immutable unless you rerun the full notarization cycle.
Verification gaps. Verifying only on the originating Mac saves minutes today and costs hours during incidents. Always re-run codesign --verify --deep --strict on the Mac that hands builds to humans.
Decision matrix: pick packaging before picking bandwidth tricks
Record build identifiers, signing identities, notarization submission ids, packaging tool versions, transport tools, and verification exit codes in the same ticket to avoid split-brain debugging.
| Topology | Risk | Preferred motion | Related article |
|---|---|---|---|
| Mac to Mac low latency | Low if flags explicit | rsync with metadata preservation | Concurrent SFTP budgeting |
| Mac to Linux to Mac | High | tar.gz single blob per build | Integrity gate |
| Public dmg | Medium after staple | Freeze filename post staple | Atomic release |
| Internal cache | Controlled | Unsigned intermediates allowed if promotion rebuilds | CI credential matrix |
| Large payloads over WAN | Timeouts | Tar first, then tune parallel uploads | WAN throughput matrix |
Speed optimizations never override the rule that readers only see complete trees under stable pointers.
Document expected minutes for each verify step so capacity planning covers humans waiting on notarization as well as silicon compiling sources. Capture median and p95 durations weekly so regressions in packaging tools show up before customers do.
How-to: teaching skeleton for staging scripts
Replace hosts and users. Align secrets with the CI credential matrix.
# On build Mac: archive before any Linux hop
COPYFILE_DISABLE=1 tar -czvf MyApp_build.tar.gz MyApp.app
codesign --verify --deep --strict --verbose=2 MyApp.app
# Push tarball
rsync -av MyApp_build.tar.gz ci@remote-mac:uploads/staging/build-9001/
# On remote Mac: extract then verify landing
ssh ci@remote-mac 'cd uploads/staging/build-9001 && tar -xzvf MyApp_build.tar.gz'
ssh ci@remote-mac 'codesign --verify --deep --strict uploads/staging/build-9001/MyApp.app'
# Only after manifest gate passes, promote per atomic release guide
Interactive SFTP clients need written SOP for permission toggles. One unchecked default can invalidate a nightly beta. Keep screenshots in the handbook so on-call engineers do not guess.
Ticket fields, notarization polling, and disk headroom
Minimum fields: git sha, Xcode version, macOS patch level, codesign identity summary, notarytool submission id, stapler state, source verify exit code, landing verify exit code, transport tool versions, SHA256 manifest id. Teams that log only semantic versions rediscover mysteries during App Store deadline weeks.
Notarization queues can stretch well past thirty minutes during Apple platform events. Budget wall-clock time the same way you budget compile farms. Remote Mac disks that remain below roughly one hundred twenty gigabytes free invite mysterious archive failures; combine housekeeping cron jobs with monitoring alerts.
Separate upload accounts for signed release trees versus creative assets. Accidental overwrites are easier to prevent when POSIX permissions and SSH keys differ by role. Advanced chroot patterns are documented elsewhere on the site; the key idea is higher isolation for signing material.
When legal asks whether notarization uploads include source code, clarify that Apple processes binaries and metadata. Still handle bundles as confidential customer-facing artifacts in object storage with least-privilege IAM paths.
Rotate signing credentials on the same schedule as CI deploy keys, and never share production signing hosts with unreviewed pull-request workflows.
Glossary: vocabulary for precise postmortems
Application bundle is a directory convention that groups executables, frameworks, and resources. It is not a single file, which is why naive copying tools fail silently.
Developer ID Application identity signs binaries destined for distribution outside the Mac App Store when paired with Apple notarization expectations.
Notarization ticket is Apple's record that malware scanning and policy checks succeeded for a submitted payload. Stapling embeds proof for offline validation.
codesign verify deep strict walks nested code and enforces consistency rules that loose copying often violates.
Symlink preservation means relative links inside bundles continue pointing to the correct nested helpers after transport.
Extended attributes carry resource forks and quarantine markers. Some non-macOS filesystems drop them entirely.
tar copyfile disable environment hints help exclude AppleDouble sidecar files when teams require portable archives.
Artifact flattening describes tools that expand symlinks into duplicated files or discard POSIX executable bits.
Atomic release pointer is a symlink or equivalent indirection swapped only after validation completes.
Checksum manifest lists cryptographic hashes approved by humans independent of tool-internal checks.
Staging prefix is a writable namespace isolated from customer-visible download trees.
CI runner identity is the OS user executing workflow steps; mixing signing identities across runners without isolation risks key leakage.
Gatekeeper is macOS policy that consults notarization and code signature results before launching downloaded apps.
Hardened runtime entitlement set must match actual file access; notarization does not fix mismatched entitlements.
Stapler validate checks whether embedded tickets align with on-disk bytes for supported package types.
Remote Mac build farm centralizes Apple Silicon compatibility and signing toolchains for distributed teams.
SFTP session carries files inside SSH and inherits its encryption and authentication semantics.
rsync incremental algorithm saves bandwidth for repeated syncs but may be wasteful for fresh full copies of giant single files.
upload-artifact v4 behavior around symlinks differs from raw tar; always verify after download on macOS.
Object storage immutability prevents tampering after upload when paired with versioned keys per build.
Blast radius measures how many customers receive a broken build if promotion occurs too early.
Provisioning profile ties entitlements to team identifiers; mismatches surface during signing even when network transport is perfect.
DerivedData hygiene matters because stale intermediates can produce binaries that verify locally yet diverge once archived from a clean tree.
xcarchive bundles capture dSYM and products for distribution pipelines; treat them as another archive type with explicit unpack rules.
spctl assessment evaluates Gatekeeper policy against a path and complements codesign verification for distribution readiness checks.
Quarantine attribute marks files downloaded from the internet; automation must understand whether removal is appropriate for CI fixtures.
Keychain partition separates signing identities per user session on shared hosts; document unlock procedures for unattended builds.
Time-to-verify metrics belong beside compile duration so leadership sees full release latency, not just clang hours.
Rollback artifact is the previously promoted build kept for instant symlink reversal when signatures regress.
Observability field captures structured JSON lines emitted by CI with verify exit codes for each hop.
Regional egress choice affects notarization latency when Apple endpoints differ by geography; record which uplink each build used.
FAQ and why hosted remote Mac plans help
Can I validate signatures on Linux?
Do not treat Linux as authoritative for Apple code signature graphs. Linux may carry tarballs, but verification belongs on macOS.
Is ZIP always wrong?
ZIP is not automatically wrong, yet default encoders vary. If ZIP is required, document encoder flags and verify on destination Mac every time.
Does rclone help signatures?
rclone excels at mirrors and multi-backend sync. Treat it as another transport with explicit metadata flags, not magic.
Summary: Preserve bundle semantics, tarball before Linux, verify after every hop, and keep releases staged until manifests approve.
Limits: Self-managed multi-region ingress multiplies runbooks and on-call load. SFTPMAC hosted remote Mac packages stable build hosts, encrypted upload paths, and session policy so engineers focus on product quality instead of rediscovering symlink flattening.
Review SFTPMAC plans and regions to unify signing hosts and delivery ingress.