Attempting to codesign a MacOS app corrupts the app

Description

I’m trying to publish a command line MacOS application built with .NET. I’ve read many of the issues related to this, but none seems to precisely cover my case (at least not in a way that I understand). I did gather that it doesn’t work in .NET 5 so I’ve updated to .NET 6. In order to get it past gatekeeper, I need to sign, notarize, staple, bend, fold, spindle, etc.

I can’t seem to get past the first step. If I use codesign to sign the app, the app is then corrupted and won’t run.

$ codesign --timestamp -o runtime --force --verify --verbose --sign MYIDHERE SaxonCS
SaxonCS: replacing existing signature
SaxonCS: signed Mach-O thin (x86_64) [SaxonCS]

$ ./SaxonCS
Failed to load /private/tmp/app/libcoreclr.dylib, error: dlopen(/private/tmp/app/libcoreclr.dylib, 0x0001): tried: '/private/tmp/app/libcoreclr.dylib' (code signature in <3ACEB6DA-5249-3A77-A23B-BB471A3797C8> '/private/tmp/app/libcoreclr.dylib' not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.), '/usr/lib/libcoreclr.dylib' (no such file)
[1]    56791 segmentation fault  ./SaxonCS

I’m slightly confused by the “replacing existing signature” message. I haven’t configured .NET to do signing automatically, at least not on purpose, and if it is signing automatically, I don’t see how it could be using the right key ID.

On a possibly related note, I’m surprised by the build artifacts that dotnet publish produces. I’m running

dotnet publish SaxonCS.sln --configuration Release -r osx-x64 \
        --self-contained true -p:PublishSingleFile=true \
        -p:PublishReadyToRun=true -p:UseAppHost=true \
        -p:Version=11.2.0 -p:PackageVersion=11.2.0

But I’m not getting a “single file”:

$ ls -lA build/cs/bin/Release/net5.0/osx-x64/publish/
.rwxr--r-- 1 2.6M ndw 15 Feb 16:55 libclrjit.dylib
.rwxr--r-- 1 6.9M ndw 15 Feb 17:00 libcoreclr.dylib
.rwxr--r-- 1 962k ndw 15 Feb 16:48 libSystem.IO.Compression.Native.dylib
.rwxr--r-- 1  87k ndw 15 Feb 16:48 libSystem.Native.dylib
.rwxr--r-- 1  36k ndw 15 Feb 16:48 libSystem.Net.Security.Native.dylib
.rwxr--r-- 1  68k ndw 15 Feb 16:48 libSystem.Security.Cryptography.Native.Apple.dylib
.rwxr--r-- 1 172k ndw 15 Feb 16:48 libSystem.Security.Cryptography.Native.OpenSsl.dylib
.rwxr-xr-x 1 105M ndw 11 Mar 14:40 SaxonCS
.rw-r--r-- 1 1.9M ndw 11 Mar 14:40 SaxonCS.pdb
.rw-r--r-- 1 736k ndw 11 Mar 14:40 SaxonCS.xml

(If I don’t use the single file option, I get dozens and dozens of files, so it’s certainly closer to single file!)

On other occasions, with slightly different publish commands, I get more or less further along. Sometimes I can sign the SaxonCS file and it runs, but complains the other dylib files aren’t signed. If I sign them, things crash differently.

I fully expect this is user error, but I cannot find any explanation of either what I should be doing or what I might be doing wrong.

Configuration

$ /usr/local/share/dotnet/dotnet --info
.NET SDK (reflecting any global.json):
 Version:   6.0.201
 Commit:    ef40e6aa06

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  12.2
 OS Platform: Darwin
 RID:         osx.12-x64
 Base Path:   /usr/local/share/dotnet/sdk/6.0.201/

Host (useful for support):
  Version: 6.0.3
  Commit:  c24d9a9c91

.NET SDKs installed:
  6.0.201 [/usr/local/share/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 6.0.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET runtimes or SDKs:
  https://aka.ms/dotnet-download

Other information