At my current company we have an app that has a lot of third party dependencies. Recently vendors started providing code signed XCFrameworks and we would like to use the code signed frameworks without any modification in our released app (don't tamper with the signature, don't remove it, don't resign it).
We have a problem, that upon downloading the XCFrameworks from an internal artifact server or upon moving the XCFrameworks on disk during the build process, macOS starts producing temporary files, like .DS_Store, ._* files (for every file X, there is additional ._X file created). Files like this are sometimes called "turdfiles", like here.
The files are produced inside of XCFrameworks and inside of the _CodeSignature folder, making
codesign --verify --verbose=4 Example.xcframework
fail and XCode to complain and fail the build process.
I wrote a script that cleans up the _CodeSignature folder from all known turdfiles and then inspects the output of codesign to indentify all surplus files and removes them - this has to be 2 steps, because codesign goes crazy if you tamper with _CodeSignature directory.
We run the script in random places of the build system where it seemed to help.
Is there any system solution to fix this? Isn't everyone having this problem now, with the introduction of codesigned XCFrameworks? There were tens of people in the company having this issue before we hacked it together using the cleanup script.