apple-codesign: properly look for sniffed Mach-O header metadata

Before, we would detect pretty much any file as a Mach-O. Oof.

apple-codesign/CHANGELOG.md

@@ -58,6 +58,7 @@ Released on ReleaseDate.
 * The `generate-self-signed-certificate` command gained a
   `--pem-unified-filename` argument to write a PEM encoded file containing
   both the private key and public certificate.
+* Fixed a bug where files would be identified as Mach-O when they weren't.
 * aws crates 0.53 -> 0.57.
 * bitflags 1.3 -> 2.0.
 * cryptographic-message-syntax 0.19 -> 0.25.

apple-codesign/src/reader.rs

@@ -52,10 +52,12 @@ impl MachOType {
 
         let magic = goblin::mach::peek(&header, 0)?;
 
-        match magic {
-            FAT_MAGIC => Ok(Some(Self::Mach)),
-            _ if parse_magic_and_ctx(&header, 0).is_ok() => Ok(Some(Self::MachO)),
-            _ => Ok(None),
+        if magic == FAT_MAGIC {
+            Ok(Some(Self::Mach))
+        } else if let Ok((_, Some(_))) = parse_magic_and_ctx(&header, 0) {
+            Ok(Some(Self::MachO))
+        } else {
+            Ok(None)
         }
     }
 }