From efa16640725ce40d1a17006ff0e6979ff65495dc Mon Sep 17 00:00:00 2001 From: Wolf Vollprecht Date: Wed, 12 Jul 2023 10:05:38 +0200 Subject: [PATCH 1/7] update all dependencies to see if error goes away --- crates/rattler-bin/Cargo.toml | 6 ++--- crates/rattler/Cargo.toml | 26 ++++++++++----------- crates/rattler_conda_types/Cargo.toml | 24 +++++++++---------- crates/rattler_digest/Cargo.toml | 10 ++++---- crates/rattler_libsolv_rs/Cargo.toml | 2 +- crates/rattler_macros/Cargo.toml | 6 ++--- crates/rattler_networking/Cargo.toml | 16 ++++++------- crates/rattler_package_streaming/Cargo.toml | 10 ++++---- crates/rattler_repodata_gateway/Cargo.toml | 26 ++++++++++----------- crates/rattler_shell/Cargo.toml | 16 ++++++------- crates/rattler_solve/Cargo.toml | 10 ++++---- crates/rattler_virtual_packages/Cargo.toml | 6 ++--- crates/tools/Cargo.toml | 4 ++-- 13 files changed, 81 insertions(+), 81 deletions(-) diff --git a/crates/rattler-bin/Cargo.toml b/crates/rattler-bin/Cargo.toml index 279a852a2..d21bf25fb 100644 --- a/crates/rattler-bin/Cargo.toml +++ b/crates/rattler-bin/Cargo.toml @@ -22,12 +22,12 @@ rustls-tls = ["reqwest/rustls-tls", "rattler/rustls-tls", "rattler_repodata_gate [dependencies] anyhow = "1.0.71" -clap = { version = "4.3.2", features = ["derive"] } +clap = { version = "4.3.11", features = ["derive"] } console = { version = "0.15.7", features = ["windows-console-colors"] } dirs = "5.0.1" futures = "0.3.28" indicatif = "0.17.5" -itertools = "0.10.5" +itertools = "0.11.0" once_cell = "1.18.0" rattler = { version = "0.5.0", path = "../rattler", default-features = false } rattler_networking = { version = "0.5.0", path = "../rattler_networking", default-features = false } @@ -36,7 +36,7 @@ rattler_repodata_gateway = { version = "0.5.0", path = "../rattler_repodata_gate rattler_solve = { version = "0.5.0", path = "../rattler_solve", features = ["libsolv_rs", "libsolv_c"] } rattler_virtual_packages = { version = "0.5.0", path = "../rattler_virtual_packages" } reqwest = { version = "0.11.18", default-features = false } -tokio = { version = "1.28.2", features = ["rt-multi-thread", "macros"] } +tokio = { version = "1.29.1", features = ["rt-multi-thread", "macros"] } tracing-subscriber = { version = "0.3.17", features = ["env-filter"] } [package.metadata.release] diff --git a/crates/rattler/Cargo.toml b/crates/rattler/Cargo.toml index 78d4fd0e9..5d9535b8a 100644 --- a/crates/rattler/Cargo.toml +++ b/crates/rattler/Cargo.toml @@ -18,7 +18,7 @@ rustls-tls = ['reqwest/rustls-tls', 'rattler_package_streaming/rustls-tls'] [dependencies] anyhow = "1.0.71" apple-codesign = "0.22.0" -async-compression = { version = "0.4.0", features = ["gzip", "tokio", "bzip2", "zstd"] } +async-compression = { version = "0.4.1", features = ["gzip", "tokio", "bzip2", "zstd"] } bytes = "1.4.0" chrono = { version = "0.4.26", default-features = false, features = ["std", "serde", "alloc"] } digest = "0.10.7" @@ -26,34 +26,34 @@ dirs = "5.0.1" futures = "0.3.28" fxhash = "0.2.1" hex = "0.4.3" -itertools = "0.10.5" +itertools = "0.11.0" memchr = "2.5.0" -memmap2 = "0.6.2" +memmap2 = "0.7.1" nom = "7.1.3" once_cell = "1.18.0" -pin-project-lite = "0.2.9" +pin-project-lite = "0.2.10" rattler_conda_types = { version = "0.5.0", path = "../rattler_conda_types" } rattler_digest = { version = "0.5.0", path = "../rattler_digest" } rattler_networking = { version = "0.5.0", path = "../rattler_networking", default-features = false } rattler_package_streaming = { version = "0.5.0", path = "../rattler_package_streaming", features = ["reqwest", "tokio"], default-features = false } -regex = "1.8.4" +regex = "1.9.1" reqwest = { version = "0.11.18", default-features = false, features = ["stream", "json", "gzip"] } -serde = { version = "1.0.163", features = ["derive"] } -serde_json = { version = "1.0.96", features = ["raw_value"] } +serde = { version = "1.0.171", features = ["derive"] } +serde_json = { version = "1.0.102", features = ["raw_value"] } serde_with = "3.0.0" -smallvec = { version = "1.10.0", features = ["serde", "const_new", "const_generics", "union"] } +smallvec = { version = "1.11.0", features = ["serde", "const_new", "const_generics", "union"] } tempfile = "3.6.0" -thiserror = "1.0.40" -tokio = { version = "1.28.2", features = ["rt", "io-util", "macros"] } +thiserror = "1.0.43" +tokio = { version = "1.29.1", features = ["rt", "io-util", "macros"] } tokio-stream = "0.1.14" tokio-util = { version = "0.7.8", features = ["codec", "io"] } tracing = "0.1.37" url = { version = "2.4.0", features = ["serde"] } -uuid = { version = "1.3.3", features = ["v4", "fast-rng"] } +uuid = { version = "1.4.0", features = ["v4", "fast-rng"] } [dev-dependencies] assert_matches = "1.5.0" rand = "0.8.5" -rstest = "0.17.0" +rstest = "0.18.1" tracing-test = { version = "0.2.4" } -insta = { version = "1.29.0", features = ["yaml"] } +insta = { version = "1.30.0", features = ["yaml"] } diff --git a/crates/rattler_conda_types/Cargo.toml b/crates/rattler_conda_types/Cargo.toml index 35e9f1281..7c4b86191 100644 --- a/crates/rattler_conda_types/Cargo.toml +++ b/crates/rattler_conda_types/Cargo.toml @@ -14,19 +14,19 @@ readme.workspace = true chrono = "0.4.26" fxhash = "0.2.1" hex = "0.4.3" -itertools = "0.10.5" -lazy-regex = "2.5.0" +itertools = "0.11.0" +lazy-regex = "3.0.0" nom = "7.1.3" -regex = "1.8.4" -serde = { version = "1.0.163", features = ["derive"] } -serde_json = "1.0.96" +regex = "1.9.1" +serde = { version = "1.0.171", features = ["derive"] } +serde_json = "1.0.102" serde-json-python-formatter = "0.1.0" -serde_yaml = "0.9.21" +serde_yaml = "0.9.22" serde_with = "3.0.0" serde_repr = "0.1" -smallvec = { version = "1.10.0", features = ["serde", "const_new", "const_generics", "union"] } -strum = { version = "0.24.1", features = ["derive"] } -thiserror = "1.0.40" +smallvec = { version = "1.11.0", features = ["serde", "const_new", "const_generics", "union"] } +strum = { version = "0.25.0", features = ["derive"] } +thiserror = "1.0.43" tracing = "0.1.37" url = { version = "2.4.0", features = ["serde"] } rattler_digest = { version = "0.5.0", path = "../rattler_digest", features = ["serde"] } @@ -35,13 +35,13 @@ glob = "0.3.1" [dev-dependencies] rand = "0.8.5" -insta = { version = "1.29.0", features = ["yaml", "redactions", "toml"] } +insta = { version = "1.30.0", features = ["yaml", "redactions", "toml"] } rattler_package_streaming = { path = "../rattler_package_streaming", default-features = false, features=["rustls-tls"] } tempfile = "3.6.0" -rstest = "0.17.0" +rstest = "0.18.1" assert_matches = "1.5.0" hex-literal = "0.4.1" -criterion = { version = "0.4", features = ["html_reports"] } +criterion = { version = "0.5", features = ["html_reports"] } [[bench]] name = "parse" diff --git a/crates/rattler_digest/Cargo.toml b/crates/rattler_digest/Cargo.toml index 2286531a0..08a665872 100644 --- a/crates/rattler_digest/Cargo.toml +++ b/crates/rattler_digest/Cargo.toml @@ -12,10 +12,10 @@ readme.workspace = true [dependencies] digest = "0.10.7" -tokio = { version = "1.28.2", features = ["io-util"], optional = true } +tokio = { version = "1.29.1", features = ["io-util"], optional = true } hex = "0.4.3" -serde = { version = "1.0.163", features = ["derive"], optional = true } -sha2 = "0.10.6" +serde = { version = "1.0.171", features = ["derive"], optional = true } +sha2 = "0.10.7" md-5 = "0.10.5" blake2 = "0.10.6" serde_with = "3.0.0" @@ -25,7 +25,7 @@ tokio = ["dep:tokio"] serde = ["dep:serde"] [dev-dependencies] -rstest = "0.17.0" +rstest = "0.18.1" tempfile = "3.6.0" md-5 = "0.10.5" -serde_json = "1.0.96" +serde_json = "1.0.102" diff --git a/crates/rattler_libsolv_rs/Cargo.toml b/crates/rattler_libsolv_rs/Cargo.toml index 3ad38de02..d95f97ea1 100644 --- a/crates/rattler_libsolv_rs/Cargo.toml +++ b/crates/rattler_libsolv_rs/Cargo.toml @@ -17,4 +17,4 @@ rattler_conda_types = { version = "0.5.0", path = "../rattler_conda_types" } tracing = "0.1.37" [dev-dependencies] -insta = "1.29.0" +insta = "1.30.0" diff --git a/crates/rattler_macros/Cargo.toml b/crates/rattler_macros/Cargo.toml index 11da9353d..0777ce1ff 100644 --- a/crates/rattler_macros/Cargo.toml +++ b/crates/rattler_macros/Cargo.toml @@ -19,8 +19,8 @@ name = "tests" path = "tests/tests.rs" [dependencies] -syn = "2.0.18" -quote = "1.0.28" +syn = "2.0.25" +quote = "1.0.29" [dev-dependencies] -trybuild = { version = "1.0.80", features = ["diff"] } +trybuild = { version = "1.0.81", features = ["diff"] } diff --git a/crates/rattler_networking/Cargo.toml b/crates/rattler_networking/Cargo.toml index db7f689be..0c2e7f111 100644 --- a/crates/rattler_networking/Cargo.toml +++ b/crates/rattler_networking/Cargo.toml @@ -17,16 +17,16 @@ rustls-tls = ['reqwest/rustls-tls'] [dependencies] anyhow = "1.0.71" dirs = "5.0.1" -keyring = "2.0.2" +keyring = "2.0.4" lazy_static = "1.4.0" -libc = "0.2.144" -reqwest = { version = "0.11.17", features = ["blocking"], default-features = false} -serde = "1.0.163" -serde_json = "1.0.96" -thiserror = "1.0.40" +libc = "0.2.147" +reqwest = { version = "0.11.18", features = ["blocking"], default-features = false} +serde = "1.0.171" +serde_json = "1.0.102" +thiserror = "1.0.43" tracing = "0.1.37" [dev-dependencies] anyhow = "1.0.71" -insta = { version = "1.29.0", features = ["json"] } -tempfile = "3.5.0" +insta = { version = "1.30.0", features = ["json"] } +tempfile = "3.6.0" diff --git a/crates/rattler_package_streaming/Cargo.toml b/crates/rattler_package_streaming/Cargo.toml index dcc5b2bc2..9472009e8 100644 --- a/crates/rattler_package_streaming/Cargo.toml +++ b/crates/rattler_package_streaming/Cargo.toml @@ -14,12 +14,12 @@ readme.workspace = true bzip2 = { version = "0.4" } chrono = "0.4.26" futures-util = { version = "0.3.28", optional = true } -itertools = "0.10.5" +itertools = "0.11.0" rattler_conda_types = { version = "0.5.0", path = "../rattler_conda_types" } rattler_digest = { version = "0.5.0", path = "../rattler_digest" } -serde_json = "1.0.96" +serde_json = "1.0.102" tar = { version = "0.4.38" } -thiserror = "1.0.40" +thiserror = "1.0.43" tokio = { version = "1", optional = true } tokio-util = { version = "0.7", optional = true } reqwest = { version = "0.11.18", optional = true, default-features = false } @@ -39,5 +39,5 @@ reqwest = ["reqwest/blocking"] tempfile = "3.6.0" tokio = { version = "1", features = ["rt", "macros"] } walkdir = "2.3.3" -rstest = "0.17.0" -rstest_reuse = "0.5.0" +rstest = "0.18.1" +rstest_reuse = "0.6.0" diff --git a/crates/rattler_repodata_gateway/Cargo.toml b/crates/rattler_repodata_gateway/Cargo.toml index 834b09808..3abd4e78d 100644 --- a/crates/rattler_repodata_gateway/Cargo.toml +++ b/crates/rattler_repodata_gateway/Cargo.toml @@ -11,7 +11,7 @@ license.workspace = true readme.workspace = true [dependencies] -async-compression = { version = "0.4.0", features = ["gzip", "tokio", "bzip2", "zstd"] } +async-compression = { version = "0.4.1", features = ["gzip", "tokio", "bzip2", "zstd"] } blake2 = "0.10.6" cache_control = "0.2.0" chrono = { version = "0.4.26", default-features = false, features = ["std", "serde", "alloc", "clock"] } @@ -22,22 +22,22 @@ reqwest = { version = "0.11.18", default-features = false, features = ["stream"] tokio-util = { version = "0.7.8", features = ["codec", "io"] } tempfile = "3.6.0" tracing = "0.1.37" -thiserror = "1.0.40" +thiserror = "1.0.43" url = { version = "2.4.0", features = ["serde"] } -tokio = { version = "1.28.2", features = ["rt", "io-util"] } +tokio = { version = "1.29.1", features = ["rt", "io-util"] } anyhow = "1.0.71" -serde = { version = "1.0.163", features = ["derive"] } -serde_json = { version = "1.0.96" } -pin-project-lite = "0.2.9" +serde = { version = "1.0.171", features = ["derive"] } +serde_json = { version = "1.0.102" } +pin-project-lite = "0.2.10" md-5 = "0.10.5" rattler_digest = { version = "0.5.0", path = "../rattler_digest", features = ["tokio", "serde"] } rattler_conda_types = { version = "0.5.0", path = "../rattler_conda_types", optional = true } fxhash = { version = "0.2.1", optional = true } -memmap2 = { version = "0.6.2", optional = true } -ouroboros = { version = "0.15.6", optional = true } +memmap2 = { version = "0.7.1", optional = true } +ouroboros = { version = "0.17.0", optional = true } serde_with = "3.0.0" superslice = { version = "1.0.0", optional = true } -itertools = { version = "0.10.5", optional = true } +itertools = { version = "0.11.0", optional = true } json-patch = "1.0.0" hex = { version = "0.4.3", features = ["serde"] } rattler_networking = { version = "0.5.0", path = "../rattler_networking", default-features = false } @@ -50,13 +50,13 @@ windows-sys = { version = "0.48.0", features = ["Win32_Storage_FileSystem", "Win [dev-dependencies] hex-literal = "0.4.1" -tower-http = { version = "0.4.0", features = ["fs", "compression-gzip", "trace"] } +tower-http = { version = "0.4.1", features = ["fs", "compression-gzip", "trace"] } tracing-test = { version = "0.2.4" } -insta = { version = "1.29.0", features = ["yaml"] } +insta = { version = "1.30.0", features = ["yaml"] } axum = "0.6.18" assert_matches = "1.5.0" -tokio = { version = "1.28.2", features = ["macros", "rt-multi-thread"] } -rstest = "0.17.0" +tokio = { version = "1.29.1", features = ["macros", "rt-multi-thread"] } +rstest = "0.18.1" [features] default = ['native-tls'] diff --git a/crates/rattler_shell/Cargo.toml b/crates/rattler_shell/Cargo.toml index 2e2566a76..d872d42e3 100644 --- a/crates/rattler_shell/Cargo.toml +++ b/crates/rattler_shell/Cargo.toml @@ -11,17 +11,17 @@ license.workspace = true readme.workspace = true [dependencies] -enum_dispatch = "0.3.11" -indexmap = "1.9.3" -itertools = "0.10.5" +enum_dispatch = "0.3.12" +indexmap = "2.0.0" +itertools = "0.11.0" rattler_conda_types = { version = "0.5.0", path = "../rattler_conda_types" } -serde_json = { version = "1.0.96", features = ["preserve_order"] } +serde_json = { version = "1.0.102", features = ["preserve_order"] } shlex = "1.1.0" -sysinfo = { version = "0.29.2", optional = true } -tempfile = "3.5.0" -thiserror = "1.0.40" +sysinfo = { version = "0.29.4", optional = true } +tempfile = "3.6.0" +thiserror = "1.0.43" tracing = "0.1.37" [dev-dependencies] -insta = { version = "1.29.0", features = ["yaml"] } +insta = { version = "1.30.0", features = ["yaml"] } tempdir = "0.3.7" diff --git a/crates/rattler_solve/Cargo.toml b/crates/rattler_solve/Cargo.toml index 69ae44f2c..a0f2d4d1d 100644 --- a/crates/rattler_solve/Cargo.toml +++ b/crates/rattler_solve/Cargo.toml @@ -15,9 +15,9 @@ rattler_conda_types = { version = "0.5.0", path = "../rattler_conda_types" } rattler_digest = { version = "0.5.0", path = "../rattler_digest" } libc = { version = "0.2", optional = true } anyhow = "1.0.71" -thiserror = "1.0.40" +thiserror = "1.0.43" tracing = "0.1.37" -serde = { version = "1.0.163", features = ["derive"] } +serde = { version = "1.0.171", features = ["derive"] } url = "2.4.0" hex = "0.4.3" tempfile = "3.6.0" @@ -26,9 +26,9 @@ rattler_libsolv_rs = { version = "0.5.0", path = "../rattler_libsolv_rs", option [dev-dependencies] rattler_repodata_gateway = { version = "0.5.0", path = "../rattler_repodata_gateway", default-features = false, features = ["sparse"] } -insta = { version = "1.29.0", features = ["yaml"] } -rstest = "0.17.0" -serde_json = "1.0.96" +insta = { version = "1.30.0", features = ["yaml"] } +rstest = "0.18.1" +serde_json = "1.0.102" url = "2.4.0" similar-asserts = "1.4.2" once_cell = "1.18.0" diff --git a/crates/rattler_virtual_packages/Cargo.toml b/crates/rattler_virtual_packages/Cargo.toml index e02997dfa..369811fde 100644 --- a/crates/rattler_virtual_packages/Cargo.toml +++ b/crates/rattler_virtual_packages/Cargo.toml @@ -16,12 +16,12 @@ libloading = "0.8.0" nom = "7.1.3" once_cell = "1.18.0" rattler_conda_types = { version = "0.5.0", path = "../rattler_conda_types" } -thiserror = "1.0.40" +thiserror = "1.0.43" tracing = "0.1.37" -serde = { version = "1.0.163", features = ["derive"] } +serde = { version = "1.0.171", features = ["derive"] } [target.'cfg(target_os="macos")'.dependencies] plist = "1" [target.'cfg(unix)'.dependencies] -regex = "1.8.2" +regex = "1.9.1" diff --git a/crates/tools/Cargo.toml b/crates/tools/Cargo.toml index daf368bda..990c57d1f 100644 --- a/crates/tools/Cargo.toml +++ b/crates/tools/Cargo.toml @@ -4,8 +4,8 @@ version = "0.1.0" edition = "2021" [dependencies] -clap = { version = "4.3.2", features = ["derive"] } -bindgen = "0.65.1" +clap = { version = "4.3.11", features = ["derive"] } +bindgen = "0.66.1" anyhow = "1.0.71" difference = "2.0.0" tempdir = "0.3.7" From ce74c841ec372fd7a1f53e23f7a698fad8403b8e Mon Sep 17 00:00:00 2001 From: Wolf Vollprecht Date: Wed, 12 Jul 2023 10:51:06 +0200 Subject: [PATCH 2/7] try with older toolchain --- rust-toolchain | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust-toolchain b/rust-toolchain index 832e9afb6..5deab586f 100644 --- a/rust-toolchain +++ b/rust-toolchain @@ -1 +1 @@ -1.70.0 +1.68.2 From e477058091267a7c7d212b577cd0c79b3d7b3fd6 Mon Sep 17 00:00:00 2001 From: Wolf Vollprecht Date: Wed, 12 Jul 2023 16:57:30 +0200 Subject: [PATCH 3/7] use the codesign command instead of the dependency --- crates/rattler/Cargo.toml | 1 - crates/rattler/src/install/link.rs | 26 ++++++++++++++++++++++---- rust-toolchain | 2 +- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/crates/rattler/Cargo.toml b/crates/rattler/Cargo.toml index 5d9535b8a..b54de7105 100644 --- a/crates/rattler/Cargo.toml +++ b/crates/rattler/Cargo.toml @@ -17,7 +17,6 @@ rustls-tls = ['reqwest/rustls-tls', 'rattler_package_streaming/rustls-tls'] [dependencies] anyhow = "1.0.71" -apple-codesign = "0.22.0" async-compression = { version = "0.4.1", features = ["gzip", "tokio", "bzip2", "zstd"] } bytes = "1.4.0" chrono = { version = "0.4.26", default-features = false, features = ["std", "serde", "alloc"] } diff --git a/crates/rattler/src/install/link.rs b/crates/rattler/src/install/link.rs index 71dc0c7ed..7228ba0bd 100644 --- a/crates/rattler/src/install/link.rs +++ b/crates/rattler/src/install/link.rs @@ -1,5 +1,4 @@ use crate::install::python::PythonInfo; -use apple_codesign::{SigningSettings, UnifiedSigner}; use rattler_conda_types::package::{FileMode, PathType, PathsEntry, PrefixPlaceholder}; use rattler_conda_types::{NoArchType, Platform}; use rattler_digest::HashingWriter; @@ -30,7 +29,7 @@ pub enum LinkFileError { FailedToUpdateDestinationFilePermissions(#[source] std::io::Error), #[error("failed to sign Apple binary")] - FailedToSignAppleBinary(#[from] apple_codesign::AppleCodesignError), + FailedToSignAppleBinary, #[error("cannot install noarch python files because there is no python version specified ")] MissingPythonInfo, @@ -52,6 +51,21 @@ pub struct LinkedFile { pub relative_path: PathBuf, } +fn codesign(destination_path: &Path) -> Result<(), LinkFileError> { + let status = std::process::Command::new("/usr/bin/codesign") + .arg("-s") + .arg("-") + .arg("-f") + .arg(destination_path) + .status()?; + + if !status.success() { + return Err(LinkFileError::FailedToSignAppleBinary); + } + + Ok(()) +} + /// Installs a single file from a `package_dir` to the the `target_dir`. Replaces any /// `prefix_placeholder` in the file with the `prefix`. /// @@ -179,8 +193,12 @@ pub fn link_file( // If the binary changed it requires resigning. if content_changed { - let signer = UnifiedSigner::new(SigningSettings::default()); - signer.sign_path_in_place(&destination_path)?; + match codesign(&destination_path) { + Ok(_) => {} + Err(e) => { + tracing::warn!("Failed to sign binary: {}", e); + } + } // The file on disk changed from the original file so the hash and file size // also became invalid. diff --git a/rust-toolchain b/rust-toolchain index 5deab586f..832e9afb6 100644 --- a/rust-toolchain +++ b/rust-toolchain @@ -1 +1 @@ -1.68.2 +1.70.0 From 645b6feb2b394e4ac7d3594d08c2896bf0a6fa19 Mon Sep 17 00:00:00 2001 From: Wolf Vollprecht Date: Thu, 13 Jul 2023 11:07:16 +0200 Subject: [PATCH 4/7] make codesign behavior configurable --- crates/rattler/src/install/link.rs | 22 ++++++---------------- crates/rattler/src/install/mod.rs | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/crates/rattler/src/install/link.rs b/crates/rattler/src/install/link.rs index 7228ba0bd..a063456f4 100644 --- a/crates/rattler/src/install/link.rs +++ b/crates/rattler/src/install/link.rs @@ -8,6 +8,8 @@ use std::fs::Permissions; use std::io::{ErrorKind, Seek, Write}; use std::path::{Path, PathBuf}; +use super::apple_codesign::{codesign, AppleCodeSignBehavior}; + #[derive(Debug, thiserror::Error)] pub enum LinkFileError { #[error(transparent)] @@ -51,21 +53,6 @@ pub struct LinkedFile { pub relative_path: PathBuf, } -fn codesign(destination_path: &Path) -> Result<(), LinkFileError> { - let status = std::process::Command::new("/usr/bin/codesign") - .arg("-s") - .arg("-") - .arg("-f") - .arg(destination_path) - .status()?; - - if !status.success() { - return Err(LinkFileError::FailedToSignAppleBinary); - } - - Ok(()) -} - /// Installs a single file from a `package_dir` to the the `target_dir`. Replaces any /// `prefix_placeholder` in the file with the `prefix`. /// @@ -84,6 +71,7 @@ pub fn link_file( allow_hard_links: bool, target_platform: Platform, target_python: Option<&PythonInfo>, + apple_codesign_behavior: AppleCodeSignBehavior, ) -> Result { let source_path = package_dir.join(&path_json_entry.relative_path); @@ -196,7 +184,9 @@ pub fn link_file( match codesign(&destination_path) { Ok(_) => {} Err(e) => { - tracing::warn!("Failed to sign binary: {}", e); + if apple_codesign_behavior == AppleCodeSignBehavior::Fail { + return Err(e); + } } } diff --git a/crates/rattler/src/install/mod.rs b/crates/rattler/src/install/mod.rs index 27708f1a9..eae4655f0 100644 --- a/crates/rattler/src/install/mod.rs +++ b/crates/rattler/src/install/mod.rs @@ -1,3 +1,4 @@ +pub mod apple_codesign; mod driver; mod entry_point; pub mod link; @@ -12,6 +13,7 @@ pub use transaction::{Transaction, TransactionOperation}; use crate::install::entry_point::{ create_unix_python_entry_point, create_windows_python_entry_point, }; +pub use apple_codesign::AppleCodeSignBehavior; use futures::FutureExt; pub use python::PythonInfo; use rattler_conda_types::package::{IndexJson, LinkJson, NoArchLinks, PackageFile}; @@ -143,6 +145,16 @@ pub struct InstallOptions { /// If you're installing a noarch python package and do not provide this field, the /// [`link_package`] function will return [`InstallError::MissingPythonInfo`]. pub python_info: Option, + + /// For binaries on macOS ARM64 (Apple Silicon), binaries need to be signed with an ad-hoc + /// certificate to properly work. This field controls wether or not to do that. By default, + /// signing is enabled when the target platform is macOS ARM64, and the host platform is also + /// macOS ARM64. + /// To sign the binaries, the `/usr/bin/codesign` executable is called with `--force` and + /// `--sign -` arguments. The `--force` argument is used to overwrite existing signatures, and + /// the `--sign -` argument is used to sign with an ad-hoc certificate. + /// Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. + pub apple_codesign_behavior: Option, } /// Given an extracted package archive (`package_dir`), installs its files to the `target_dir`. @@ -209,6 +221,13 @@ pub async fn link_package( // Wrap the python info in an `Arc` so we can more easily share it with async tasks. let python_info = options.python_info.map(Arc::new); + let apple_codesign_behavior = options.apple_codesign_behavior.unwrap_or_else(|| { + if Platform::current() == Platform::OsxArm64 && platform == Platform::OsxArm64 { + AppleCodeSignBehavior::Fail + } else { + AppleCodeSignBehavior::Ignore + } + }); // Start linking all package files in parallel let mut number_of_paths_entries = 0; @@ -240,6 +259,7 @@ pub async fn link_package( allow_hard_links && !entry.no_link, platform, python_info.as_deref(), + apple_codesign_behavior, ) { Ok(result) => Ok(( number_of_paths_entries, From 60b28482c0c760f2d6d5f30af5089e77740e4cb3 Mon Sep 17 00:00:00 2001 From: Wolf Vollprecht Date: Thu, 13 Jul 2023 12:13:50 +0200 Subject: [PATCH 5/7] add DoNothing option, default on Fail --- crates/rattler/src/install/link.rs | 2 +- crates/rattler/src/install/mod.rs | 19 +++++++------------ 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/crates/rattler/src/install/link.rs b/crates/rattler/src/install/link.rs index a063456f4..2440377ca 100644 --- a/crates/rattler/src/install/link.rs +++ b/crates/rattler/src/install/link.rs @@ -180,7 +180,7 @@ pub fn link_file( } // If the binary changed it requires resigning. - if content_changed { + if content_changed && apple_codesign_behavior != AppleCodeSignBehavior::DoNothing { match codesign(&destination_path) { Ok(_) => {} Err(e) => { diff --git a/crates/rattler/src/install/mod.rs b/crates/rattler/src/install/mod.rs index eae4655f0..300c5644a 100644 --- a/crates/rattler/src/install/mod.rs +++ b/crates/rattler/src/install/mod.rs @@ -147,14 +147,16 @@ pub struct InstallOptions { pub python_info: Option, /// For binaries on macOS ARM64 (Apple Silicon), binaries need to be signed with an ad-hoc - /// certificate to properly work. This field controls wether or not to do that. By default, - /// signing is enabled when the target platform is macOS ARM64, and the host platform is also - /// macOS ARM64. + /// certificate to properly work. This field controls wether or not to do that. + /// Code signing is only executed when the target platform is macOS ARM64. By default, + /// codesigning will fail the installation if it fails. This behavior can be changed by setting + /// this field to `AppleCodeSignBehavior::Ignore` or `AppleCodeSignBehavior::DoNothing`. + /// /// To sign the binaries, the `/usr/bin/codesign` executable is called with `--force` and /// `--sign -` arguments. The `--force` argument is used to overwrite existing signatures, and /// the `--sign -` argument is used to sign with an ad-hoc certificate. /// Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. - pub apple_codesign_behavior: Option, + pub apple_codesign_behavior: AppleCodeSignBehavior, } /// Given an extracted package archive (`package_dir`), installs its files to the `target_dir`. @@ -221,13 +223,6 @@ pub async fn link_package( // Wrap the python info in an `Arc` so we can more easily share it with async tasks. let python_info = options.python_info.map(Arc::new); - let apple_codesign_behavior = options.apple_codesign_behavior.unwrap_or_else(|| { - if Platform::current() == Platform::OsxArm64 && platform == Platform::OsxArm64 { - AppleCodeSignBehavior::Fail - } else { - AppleCodeSignBehavior::Ignore - } - }); // Start linking all package files in parallel let mut number_of_paths_entries = 0; @@ -259,7 +254,7 @@ pub async fn link_package( allow_hard_links && !entry.no_link, platform, python_info.as_deref(), - apple_codesign_behavior, + options.apple_codesign_behavior, ) { Ok(result) => Ok(( number_of_paths_entries, From f3d3a4c641802687794066e95bcf525d79df8563 Mon Sep 17 00:00:00 2001 From: Wolf Vollprecht Date: Thu, 13 Jul 2023 12:22:05 +0200 Subject: [PATCH 6/7] add missing file --- crates/rattler/src/install/apple_codesign.rs | 34 ++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 crates/rattler/src/install/apple_codesign.rs diff --git a/crates/rattler/src/install/apple_codesign.rs b/crates/rattler/src/install/apple_codesign.rs new file mode 100644 index 000000000..8ba09f5f8 --- /dev/null +++ b/crates/rattler/src/install/apple_codesign.rs @@ -0,0 +1,34 @@ +use super::LinkFileError; +use std::path::Path; + +/// Controls the behavior of the [`link_package`] function when it encounters a binary that needs +/// to be signed on macOS ARM64 (Apple Silicon). +#[derive(Debug, Clone, Copy, PartialEq, Default)] +pub enum AppleCodeSignBehavior { + /// Do nothing (do not attempt to sign any binary) + DoNothing, + /// Ignore if the signing fails + Ignore, + /// Bubble up the error if the code signing fails (default) + #[default] + Fail, +} + +/// Sign a binary using the `codesign` tool with an ad-hoc certificate on macOS. +/// This is required for binaries to run on Apple Silicon. +pub(crate) fn codesign(destination_path: &Path) -> Result<(), LinkFileError> { + let status = std::process::Command::new("/usr/bin/codesign") + .arg("--sign") + // Use an ad-hoc certificate (`-`) + .arg("-") + // replace any existing signature + .arg("--force") + .arg(destination_path) + .status()?; + + if !status.success() { + return Err(LinkFileError::FailedToSignAppleBinary); + } + + Ok(()) +} From 2e7e8dad7e72147eb334227b5b67372c7dcb7a7f Mon Sep 17 00:00:00 2001 From: Wolf Vollprecht Date: Thu, 13 Jul 2023 13:42:01 +0200 Subject: [PATCH 7/7] fix rust doc --- crates/rattler/src/install/apple_codesign.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/rattler/src/install/apple_codesign.rs b/crates/rattler/src/install/apple_codesign.rs index 8ba09f5f8..4a4d98cce 100644 --- a/crates/rattler/src/install/apple_codesign.rs +++ b/crates/rattler/src/install/apple_codesign.rs @@ -1,7 +1,7 @@ use super::LinkFileError; use std::path::Path; -/// Controls the behavior of the [`link_package`] function when it encounters a binary that needs +/// Controls the behavior of the [`super::link_package`] function when it encounters a binary that needs /// to be signed on macOS ARM64 (Apple Silicon). #[derive(Debug, Clone, Copy, PartialEq, Default)] pub enum AppleCodeSignBehavior {