-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
strip
does ad-hoc code signatures on darwin
#104
Conversation
LGTM, but I wonder if |
Oh, I love this idea. Let me go do that. |
- install and configure sigtool for darwin codesigning - create a wrapper for `strip` that also invokes codesign
35cfc92
to
ec38f3b
Compare
@larskanis Updated with a wrapper for |
OK, I've verified that with this PR I can create a precompiled, stripped grpc gem for both arm64-darwin and x86_64-darwin. @larskanis unless you have objections, I'd like to merge this and cut a point release. |
No objections. Is the strip command executed somewhere as part of our current tests? |
No, currently neither of the wrappers is being tested as part of the suite. Let me see if I can find time today to add that, and think about what a meaningful test would even look like (there's no way to validate codesigning except on a darwin machine). |
strip
on darwin by installing and configuring sigtool
strip
on darwin by installing and configuring sigtoolstrip
on darwin by installing and configuring sigtool
strip
on darwin by installing and configuring sigtoolstrip
does ad-hoc code signatures on darwin
@larskanis I added test coverage for the "strip" wrappers. Any other thoughts before I merge? Any objections to me cutting a patch release for this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, great work! Interesting approach to add strip to the extension Makefile.
I'll cut a release in the next few days. |
Problem being solved
Using the osxcross
strip
tool invalidates the ad-hoc code signature:This results in the binary being unusable, see tpoechtrager/osxcross#305
Approach used
codesign
installed fromthefloweringash/sigtool
This PR builds and installs https://github.com/thefloweringash/sigtool to provide a
/usr/bin/codesign
utility in the OSX cross-compilation environment. (Note that I'm using a personal branch that fixes a bug in the Makefile, see thefloweringash/sigtool#14).codesign_allocate
made discoverableThe
codesign
tool relies oncodesign_allocate
. This tool is provided by osxcross, but is named with the toolchain prefix. To allowcodesign
to find it, this PR symlinks the underlying binary executable into/usr/bin/codesign_allocate
.sigtool
allows setting thecodesign_allocate
command via environment variableCODESIGN_ALLOCATE
but since the goal is to makecodesign
easy to use, I chose instead to symlink:Also note that osxcross's
aarch64-apple-darwin20.2-codesign_allocate
is a symlink to thex86_64
binary, so the architecture here doesn't seem to matter.strip
behaviorThis PR also provides a wrapper script for
strip
that will ad-hoc codesign the stripped file automatically, makingstrip
a safe command to run.Testing
I didn't add test coverage. Testing this seems to requires setting up a complex integration test scenario that involves a darwin test worker running a "real" version of codesign. It may even need to be apple silicon? I'm not sure. I'm also not sure the effort is worth testing a third-party tool. Let me know if you disagree or have other ideas.