Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

strip does ad-hoc code signatures on darwin #104

Merged
merged 2 commits into from
Aug 27, 2023
Merged

Conversation

flavorjones
Copy link
Collaborator

@flavorjones flavorjones commented Jul 13, 2023

Problem being solved

Using the osxcross strip tool invalidates the ad-hoc code signature:

/opt/osxcross/target/bin/aarch64-apple-darwin20.2-strip: warning: changes being made to the file will invalidate the code signature in: /home/flavorjones/code/oss/grpc/tmp/arm64-darwin/grpc_c/3.2.0/grpc_c.bundle

This results in the binary being unusable, see tpoechtrager/osxcross#305

Approach used

codesign installed from thefloweringash/sigtool

This PR builds and installs https://github.com/thefloweringash/sigtool to provide a /usr/bin/codesign utility in the OSX cross-compilation environment. (Note that I'm using a personal branch that fixes a bug in the Makefile, see thefloweringash/sigtool#14).

codesign_allocate made discoverable

The codesign tool relies on codesign_allocate. This tool is provided by osxcross, but is named with the toolchain prefix. To allow codesign to find it, this PR symlinks the underlying binary executable into /usr/bin/codesign_allocate.

sigtool allows setting the codesign_allocate command via environment variable CODESIGN_ALLOCATE but since the goal is to make codesign easy to use, I chose instead to symlink:

ln -s /opt/osxcross/target/bin/x86_64-apple-darwin[0-9]*-codesign_allocate /usr/bin/codesign_allocate

Also note that osxcross's aarch64-apple-darwin20.2-codesign_allocate is a symlink to the x86_64 binary, so the architecture here doesn't seem to matter.

strip behavior

This PR also provides a wrapper script for strip that will ad-hoc codesign the stripped file automatically, making strip a safe command to run.

Testing

I didn't add test coverage. Testing this seems to requires setting up a complex integration test scenario that involves a darwin test worker running a "real" version of codesign. It may even need to be apple silicon? I'm not sure. I'm also not sure the effort is worth testing a third-party tool. Let me know if you disagree or have other ideas.

@flavorjones flavorjones requested a review from larskanis July 13, 2023 13:43
@larskanis
Copy link
Member

LGTM, but I wonder if codesign could be integrated into the strip command. I already built a wrapper for the strip command for MINGW here: https://github.com/rake-compiler/rake-compiler-dock/blob/master/Dockerfile.mri.erb#L211
Similar we could wrap strip in MacOS, to return stripped and signed binaries.

@flavorjones
Copy link
Collaborator Author

I wonder if codesign could be integrated into the strip command

Oh, I love this idea. Let me go do that.

- install and configure sigtool for darwin codesigning
- create a wrapper for `strip` that also invokes codesign
@flavorjones flavorjones force-pushed the flavorjones-sigtool branch from 35cfc92 to ec38f3b Compare July 16, 2023 15:31
@flavorjones
Copy link
Collaborator Author

@larskanis Updated with a wrapper for strip on darwin.

@flavorjones
Copy link
Collaborator Author

OK, I've verified that with this PR I can create a precompiled, stripped grpc gem for both arm64-darwin and x86_64-darwin.

@larskanis unless you have objections, I'd like to merge this and cut a point release.

@larskanis
Copy link
Member

No objections. Is the strip command executed somewhere as part of our current tests?

@flavorjones
Copy link
Collaborator Author

Is the strip command executed somewhere as part of our current tests?

No, currently neither of the wrappers is being tested as part of the suite. Let me see if I can find time today to add that, and think about what a meaningful test would even look like (there's no way to validate codesigning except on a darwin machine).

@flavorjones flavorjones changed the title Install and configure sigtool for darwin codesigning Fix strip on darwin by installing and configuring sigtool Aug 10, 2023
@flavorjones flavorjones changed the title Fix strip on darwin by installing and configuring sigtool Retain code signatures during strip on darwin by installing and configuring sigtool Aug 10, 2023
@flavorjones flavorjones changed the title Retain code signatures during strip on darwin by installing and configuring sigtool strip does ad-hoc code signatures on darwin Aug 10, 2023
@flavorjones
Copy link
Collaborator Author

@larskanis I added test coverage for the "strip" wrappers.

Any other thoughts before I merge? Any objections to me cutting a patch release for this?

Copy link
Member

@larskanis larskanis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, great work! Interesting approach to add strip to the extension Makefile.

@flavorjones flavorjones merged commit 9fecf91 into master Aug 27, 2023
@flavorjones flavorjones deleted the flavorjones-sigtool branch August 27, 2023 19:15
@flavorjones
Copy link
Collaborator Author

I'll cut a release in the next few days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants