Need help with some weird problem involving properties and signing

I’m experiencing some weird problem. It looks like some property value is persisted. Also, it seems that the property is set only on the first assignment, and after that it can’t be changed. But that would be really weird. I can’t reproduce the behaviour though. The situation is something like this script:

use scripting additions

property test : missing value

on get_string_default(domain, key_name, default_value)
	try
		return (do shell script "defaults read" & space & domain & space & key_name)
	on error number 1
		return default_value
	end try
end get_string_default

on run
	
	set test to get_string_default("nl.archipunt.test-script", "test_key", "the_default_value")
	display alert "Persistent property test!" message "Value of property test: »" & test & "«"
	test
end run

I can override and delete the defaults with these commands:

defaults write nl.archipunt.test-script test_key -string "the_override_value"
defaults delete nl.archipunt.test-script test_key

I compile the script via the command line to an app, and also sign it, like this:

osacompile -x -o "Test_Script.app" "test.applescript"
xattr -cr "Test_Script.app"
codesign --sign "Developer ID Application: XXXX (YYYYY)" "Test_Script.app"

In my real situation (above is my trial to isolate) the value in the alert doesn’t change after the first run. In the script above, it does.

However, one thing I noticed: when I check the signature with WhatsYourSign right after it is compiled, the signature is valid. After it has ran, the app has signing issues… (sign auth: unknown (status/error: -67054)_

So could one advise on why the signature is not valid anymore? And does anyone recognize this weird property behaviour? Any pointers?

It sounds like you’re changing the value of a top-level variable. But as the code you’ve posted doesn’t reproduce what you’re dealing with, anything else is wild speculation.

What if you use

use scripting additions

on get_string_default(domain, key_name, default_value)
	try
		return (do shell script "defaults read" & space & domain & space & key_name)
	on error number 1
		return default_value
	end try
end get_string_default

on run
	local test
	set test to get_string_default("nl.archipunt.test-script", "test_key", "the_default_value")
	display alert "Persistent property test!" message "Value of property test: »" & test & "«"
	test
end run

This time the script will not change the content of properties and so the signature will not be killed.

Yes, I was asking two things above. Not the clearest of communications from my side… Sorry about that.

Let’s focus on the signing issue.

With the code above, it is reproducable. The first run ruins the signature somehow. I’m probably not signing the app correct, because when I’m creating the app by other means (Scripteditor, Script Debugger, or even using SD Notary to sign the app) the signature keeps being valid.

I’ve looked for information about “Persistent Properties”. I dont’ really get it. In Script Debugger, I get a checkbox when I create a new script. But I don’t see an option with osacompile. AppleScript documentation talks about it, but only describes how it works…

I really would like to have my build process automated, and unfortunately I can’t use SD Notary for the moment. I’m not asking for wild speculation, only some pointers where to look next, because I’m a bit in a corner here.

@koenigyvan I’m deducing a bug in a quite big program. I can’t easily refactor the program. The script above is just used to narrow down the problem.

Given what you accept to describe, my understanding is that you store some data in one or several properties.
Such objects as well as globals are stored in the file so every change in one of them is sufficient to kill your signature.

If I remember well, we may use properties embedded into script objects. They wouldn’t kill the signature but they will not be persistent.
In French we say : “On ne peut avoir le beurre et l’argent du beurre… et encore moins le … de la crémière”

Those apps also change the permissions of the bundle’s main.scpt file after signing to make it execute-only.

That simple :see_no_evil:. Thanks!