@meaton Thanks for the quick response. I noticed your mention of a bug earlier and thought potentially this was the same issue, but wasn't sure, so thanks for confirming. I was similarly thinking of this kind of third step - in which having allowed -exportArchive to perform the work it needs to do, unzip the resultant IPA and perform the resigning using the similar set of flags: /usr/bin/codesign -vvv --force --sign '<identity>' --entitlements '<path to entitlements file>' --preserve-metadata=identifier,flags,runtime <path to app extracted from IPA> Feels still a bit fragile with me not having insight into how the exact codesign invocations are generated, for example I'm not sure whether this process is any different if the .app contains app extensions, for example?

To follow up, I had initially thought that the re-signing done in the IPA using /usr/bin/codesign might be more simple - I had been using a dummy ObjC app to test this workaround with – but now I see from CI logs that our "real" apps need our usual (42-ish) number of codesign invocations. So I would need to re-implement the "from the inside out" re-signing logic that Xcode would normally.

Thanks for citing this, I didn't notice this in the 13.2.1 release notes!