I am using 10.13.5; saw this in Beta 4 and Beta 5.
The answer to your second question is yes and no.
If I do File > Export Run-Only Script, and in the export sheet, set Code Signing to my Developer ID Application: ID, it appears to work, and if I check it with
codesign --verify, it passes.
But if I do File > Export Run-Only Script, and in the export sheet, set Code Signing to Don’t Code Sign, and then later attempt invoke
codesign to sign its applet, I get the same error as when I attempt to sign the regular
/Users/jk/Documents/AppleScripts/Sheep Systems Trouble Zipper Run-Only.app/Contents/MacOS/applet: code object is not signed at all
In subcomponent: /Users/jk/Documents/AppleScripts/Sheep Systems Trouble Zipper Run-Only.app/Contents/Script Debugger.plist
One more data point for you. If, after I File > Save my
.app in Script Debugger, I dig in and move that
Script Debugger.plist from
Contents/Resources, and then invoke
codesign on the applet, it works:
/Users/jk/Documents/AppleScripts/Sheep Systems Trouble Zipper.app/Contents/MacOS/applet: signed app bundle with Mach-O universal (i386 x86_64) [applet]
I suppose the dichotomy could be explained by this remark which is also in that documentation:
While strict compliance with these rules may not affect your app today, anything that doesn’t meet these requirements note may be rejected by code signing verification … at any point in the future without notice.
In other words: Don’t try to understand Apple’s rules. Just obey them strictly.