[ckatri]

> Existing Mach-O signing solutions just do ad-hoc signing and/or don't handle Mach-O in the context of a bundle.

I can assure you that saurik's ldid[0] does. Or the updated fork that I maintain at ProcursusTeam/ldid[1]. You can use -K to sign with a cert. You can find full documentation in the manpage[2].

[0] http://git.saurik.com/ldid.git

[1] https://github.com/ProcursusTeam/ldid

[2] https://man.cameronkatri.com/ldid/ldid.1