Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keg: add codesigning #9102

Merged
merged 1 commit into from
Nov 14, 2020
Merged

keg: add codesigning #9102

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions Library/Homebrew/os/mac/keg.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ def change_dylib_id(id, file)
@require_relocation = true
odebug "Changing dylib ID of #{file}\n from #{file.dylib_id}\n to #{id}"
MachO::Tools.change_dylib_id(file, id, strict: false)
apply_ad_hoc_signature(file)
rescue MachO::MachOError
onoe <<~EOS
Failed changing dylib ID of #{file}
Expand All @@ -23,6 +24,7 @@ def change_install_name(old, new, file)
@require_relocation = true
odebug "Changing install name in #{file}\n from #{old}\n to #{new}"
MachO::Tools.change_install_name(file, old, new, strict: false)
apply_ad_hoc_signature(file)
rescue MachO::MachOError
onoe <<~EOS
Failed changing install name in #{file}
Expand All @@ -31,4 +33,37 @@ def change_install_name(old, new, file)
EOS
raise
end

def apply_ad_hoc_signature(file)
return if MacOS.version < :big_sur
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to also limit this to ARM for now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am waiting for feedback from @mistydemeo, who is checking whether Intel Big Sur codesigns by default or not.
If we want to limit to ARM, I don't know how to do in terms of Ruby calls. Can you suggest something?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Xcode 12.2, even on ARM Big Sur, does not codesign for Intel:

% clang -arch x86_64 a.c
% file a.out
a.out: Mach-O 64-bit executable x86_64
% codesign -v a.out
a.out: code object is not signed at all
In architecture: x86_64

So I suppose you're right, we should limit to Intel. Help is welcome. Looking at os/mac/mach.rb it looks like I should be able to simply call file.arch? But maybe it's not handled, as the code does not appear to include Arm variants in the list…

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fxcoudert Try Hardware::CPU.arm?, it’s in hardware.rb.

return unless Hardware::CPU.arm?

odebug "Codesigning #{file}"
# Use quiet_system to squash notifications about resigning binaries
# which already have valid signatures.
return if quiet_system("codesign", "--sign", "-", "--force",
"--preserve-metadata=entitlements,requirements,flags,runtime",
file)

# If the codesigning fails, it may be a bug in Apple's codesign utility
# A known workaround is to copy the file to another inode, then move it back
# erasing the previous file. Then sign again.
#
# TODO: remove this once the bug in Apple's codesign utility is fixed
Dir::Tmpname.create("workaround") do |tmppath|
FileUtils.cp file, tmppath
FileUtils.mv tmppath, file, force: true
end

# Try signing again
odebug "Codesigning (2nd try) #{file}"
return if quiet_system("codesign", "--sign", "-", "--force",
"--preserve-metadata=entitlements,requirements,flags,runtime",
file)

# If it fails again, error out
onoe <<~EOS
Failed applying an ad-hoc signature to #{file}
EOS
end
end