Signtool will not preserve executable bits of loose Linux or Mac binaries if they are signed in some circumstances #16303
Description
If a binary is "loose" (meaning not within a parent container), and is designated to be signed, in certain circumstances the executable bit might not be preserved. This can happen in the following cases:
- Mac executable notarization - The initial signing step does preserve the bits due to using ditto before sending a loose binary. This is required by the signing service. The notarization step doesn't use ditto (service doesn't expect an archive). The file is returned without the executable bit and copied over the original. We don't typically notarize executables in a standalone fashion.
- Linux executables - Similar to mac notarization, if you were to sign the executable in some way that alters the file content, then the returned file would not have the executable bit.