macos_installer_handler.py: Add signature check

CHANGELOG.md

@@ -10,6 +10,8 @@
   - Payloads:
     - Remove redundant/unused files bundled in payloads.dmg
 - Resolve unpatching Nvidia Web Drivers failing to clean up `/Library/Extensions`
+- Implement preflight code signature checks for macOS installer creation
+  - Ensures validity of `createinstallmedia` binary before execution
 
 ## 1.4.3
 - Update non-Metal Binaries for macOS Sonoma:

opencore_legacy_patcher/support/macos_installer_handler.py

@@ -139,7 +139,12 @@ class InstallerCreation():
             logging.info(f"Failed to copy installer to {ia_tmp}")
             return False
 
+        # Verify code signature before executing
         createinstallmedia_path = str(Path(installer_path) / Path("Contents/Resources/createinstallmedia"))
+        if subprocess.run(["/usr/bin/codesign", "-v", "-R=anchor apple", createinstallmedia_path]).returncode != 0:
+            logging.info(f"Installer has broken code signature")
+            return False
+
         plist_path = str(Path(installer_path) / Path("Contents/Info.plist"))
         if Path(plist_path).exists():
             plist = plistlib.load(Path(plist_path).open("rb"))