[bug] Tauri doesn't sign Mac apps correctly for App Store distribution

[lynshi]

Describe the bug

Mac apps produced for the App Store aren't signed correctly and fail the Requirement check. To reproduce, build and sign an app for the Mac App Store with an Apple Distribution certificate:

npm run tauri build -- --bundles app --target universal-apple-darwin --config src-tauri/tauri.appstore.conf.json

Then, check it with codesign:

codesign -vvvv --deep --strict src-tauri/target/universal-apple-darwin/release/bundle/macos/MY_APP.app

src-tauri/target/universal-apple-darwin/release/bundle/macos/MY_APP.app: valid on disk
src-tauri/target/universal-apple-darwin/release/bundle/macos/MY_APP.app: does not satisfy its designated Requirement

This is because the certificate root is the literal hash of your local certificate.

codesign -d -r- "src-tauri/target/universal-apple-darwin/release/bundle/macos/MY_APP.app/Contents/MacOS/my-app"

Executable=/PATH/TO/REPO/src-tauri/target/universal-apple-darwin/release/bundle/macos/MY_APP.app/Contents/MacOS/my-app
designated => identifier "com.my-app-identifier" and certificate root = H"CERTIFICATE_HASH"

To resolve, the correct codesign command passes --requirements including anchor apple generic and the app identifier (codesign language docs):

codesign --force --sign "${APPLE_SIGNING_IDENTITY}" \
  --requirements "=designated => anchor apple generic and identifier \"com.my-app-identifier\"" \
  --entitlements src-tauri/entitlements.plist \
  "src-tauri/target/universal-apple-darwin/release/bundle/macos/MY_APP.app"

Now, codesign -vvvv --deep --strict shows the designated requirement is satisfied.

src-tauri/target/universal-apple-darwin/release/bundle/macos/MY_APP.app: satisfies its Designated Requirement

---

Should Keychain::sign be updated to pass these requirements?

Looks like the only variable in --requirements is the identifier, which can be passed through via settings.bundle_identifier() when calling sign().

Reproduction

No response

Expected behavior

No response

Full tauri info output

[✔] Environment
    - OS: Mac OS 26.3.1 arm64 (X64)
    ✔ Xcode Command Line Tools: installed
    ✔ Xcode: 26.4
    ✔ rustc: 1.90.0 (1159e78c4 2025-09-14)
    ✔ cargo: 1.90.0 (840b83a10 2025-07-30)
    ✔ rustup: 1.28.2 (e4f3ad6f8 2025-04-28)
    ✔ Rust toolchain: stable-aarch64-apple-darwin (default)
    - node: 24.5.0
    - pnpm: 10.33.0
    - yarn: 1.22.22
    - npm: 11.5.1

[-] Packages
    - tauri 🦀: 2.10.2, (outdated, latest: 2.10.3)
    - tauri-build 🦀: 2.5.5, (outdated, latest: 2.5.6)
    - wry 🦀: 0.54.1, (outdated, latest: 0.55.0)
    - tao 🦀: 0.34.5, (outdated, latest: 0.35.0)
    - @tauri-apps/api  ⱼₛ: 2.10.1
    - @tauri-apps/cli  ⱼₛ: 2.10.0 (outdated, latest: 2.10.1)

[-] Plugins
    - tauri-plugin-fs 🦀: 2.4.5, (outdated, latest: 2.5.0)
    - @tauri-apps/plugin-fs  ⱼₛ: 2.4.5 (outdated, latest: 2.5.0)
    - tauri-plugin-os 🦀: 2.3.2
    - @tauri-apps/plugin-os  ⱼₛ: 2.3.2
    - tauri-plugin-opener 🦀: 2.5.3
    - @tauri-apps/plugin-opener  ⱼₛ: 2.5.3
    - tauri-plugin-log 🦀: 2.8.0
    - @tauri-apps/plugin-log  ⱼₛ: 2.8.0
    - tauri-plugin-dialog 🦀: 2.6.0, (outdated, latest: 2.7.0)
    - @tauri-apps/plugin-dialog  ⱼₛ: 2.6.0 (outdated, latest: 2.7.0)

[-] App
    - build-type: bundle
    - CSP: unset
    - frontendDist: ../build
    - devUrl: http://localhost:5173/
    - framework: Svelte
    - bundler: Vite

Stack trace

Additional context

No response