Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Makefile] Fix codesign of libjulia when installing it on macOS #44510

Merged
merged 2 commits into from
Mar 9, 2022

Conversation

giordano
Copy link
Contributor

@giordano giordano commented Mar 8, 2022

Probably it isn't the cleanest solution possible, but it does the job for me 🙂

Fix #44502

% prefix=$(mktemp -d)
% make install prefix=$prefix
# ...
% $prefix/bin/julia
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.9.0-DEV.154 (2022-03-08)
 _/ |\__'_|_|_|\__'_|  |  mg/macos-codesign-install/31c7573f8f (fork: 1 commits, 0 days)
|__/                   |

julia>

@giordano giordano added building Build system, or building Julia or its dependencies system:mac Affects only macOS labels Mar 8, 2022
@giordano giordano requested a review from staticfloat March 8, 2022 02:15
@staticfloat
Copy link
Member

staticfloat commented Mar 8, 2022

We don't want to use ldid, we want to use codesign, as we only use ldid in BB because we're on linux and codesign doesn't exist. :P

We have the invocation here, we basically want to do this after make install as well (on the buildbots we do make binary-dist which does make install, but then immediately re-signs again). We should probably make this a shell script that gets invoked by the makefiles, rather than a bunch of makefile rules.

EDIT: Ah, and in the case that you're building locally and don't need to redistribute (e.g. you have no codesigning key) you can still use codesign, but you need to set $(MACOS_CODESIGN_IDENTITY) to - to force ad-hoc signing.

@giordano
Copy link
Contributor Author

giordano commented Mar 8, 2022

Sad for not being able to use a JLL, but I added a shell script based on what codesigning currently does in Makefile.

@giordano giordano force-pushed the mg/macos-codesign-install branch 2 times, most recently from 7b4d465 to 8a36ddf Compare March 8, 2022 23:08
@giordano giordano force-pushed the mg/macos-codesign-install branch from 8a36ddf to 348989c Compare March 8, 2022 23:19
echo "Codesigning with identity ${MACOS_CODESIGN_IDENTITY}"
for f in ${MACHO_FILES}; do
echo "Codesigning ${f}..."
codesign -s "${MACOS_CODESIGN_IDENTITY}" --option=runtime ${ENTITLEMENTS} -vvv --timestamp --deep --force "${f}"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make binary-dist worked fine in CI, yay! But I wish posix shells supported arrays, leaving ${ENTITLEMENTS} unquoted makes me uncomfortable 😞

@giordano giordano merged commit 8076517 into JuliaLang:master Mar 9, 2022
@giordano giordano deleted the mg/macos-codesign-install branch March 9, 2022 19:46
@fxcoudert
Copy link
Contributor

This was only included for 1.9, and it still fails for released 1.8.0: #44502 (comment)

Could the patch be backported?

@DilumAluthge DilumAluthge added the backport 1.8 Change should be backported to release-1.8 label Aug 17, 2022
@DilumAluthge
Copy link
Member

Do we also need to backport this to 1.6?

@fxcoudert
Copy link
Contributor

Do we also need to backport this to 1.6?

I don't think so. Julia 1.6 did not support macOS ARM (aka Apple Silicon), and on macOS Intel the binaries produced by the system compiler are not signed by default (unlike ARM, where they systematically have an ad hoc signature). So on Intel, the binary is still valid after stringreplace is run, because it's unsigned.

KristofferC pushed a commit that referenced this pull request Aug 26, 2022
* [Makefile] Fix codesign of libjulia when installing it on macOS

* Add shell sript for codesigning and use it in Makefile

(cherry picked from commit 8076517)
@KristofferC KristofferC removed the backport 1.8 Change should be backported to release-1.8 label Sep 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
building Build system, or building Julia or its dependencies system:mac Affects only macOS
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Invalid code signature on libjulia.1.9.dylib
5 participants