macos-signing-inspectorlisted

# macOS Signing Inspector ## Quick Start Use this skill when the failure smells like codesigning rather than compilation: launch refusal, missing entitlement, invalid signature, sandbox mismatch, hardened runtime confusion, or trust-policy rejection. ## Workflow 1. Inspect the bundle or binary. - Locate the `.app` or executable. - Identify the main binary inside `Contents/MacOS/`. 2. Read signing details. - Use `codesign -dvvv --entitlements :- <path>`. - Use `spctl -a -vv <path>` when Gatekeeper behavior matters. - Use `plutil -p` for entitlements or Info.plist inspection. 3. Classify the failure. - Unsigned or ad hoc signed - Wrong identity - Entitlement mismatch - Hardened runtime issue - App Sandbox issue - Nested code signing issue - Distribution/notarization prerequisite issue 4. Explain the minimum fix path. - Say exactly what is wrong. - Show the shortest set of validation or repair commands. - Distinguish local development problems from distribution problems. ## Useful Commands - `codesign -dvvv --entitlements :- <app-or-binary>` - `spctl -a -vv <app-or-binary>` - `security find-identity -p codesigning -v` - `plutil -p <path-to-entitlements-or-plist>` ## Guardrails - Never invent missing entitlements. - Do not conflate notarization with local debug signing. - If the real issue is a build setting or provisioning profile, say so directly. ## Output Expectations Provide: - what artifact was inspected - what signi