Skip to content

Keg: apply ad-hoc signature on 10.15 or later#9041

Closed
mistydemeo wants to merge 1 commit intoHomebrew:masterfrom
mistydemeo:keg_apply_code_signatures
Closed

Keg: apply ad-hoc signature on 10.15 or later#9041
mistydemeo wants to merge 1 commit intoHomebrew:masterfrom
mistydemeo:keg_apply_code_signatures

Conversation

@mistydemeo
Copy link
Contributor

@mistydemeo mistydemeo commented Nov 4, 2020

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew tests with your changes locally?
  • Have you successfully run brew man locally and committed any changes?

This is an alternative to #9040. In that case, we rely on ruby-macho to apply code signatures after changing ID or install_name. Here, we instead do that ourselves so that we can choose what OS to apply it on. Like in that PR, we swallow any failures so that we don't inadvertently break more exotic packages like OpenJDK (which caused issues in #8922).

cc @MikeMcQuaid, who had suggested this as an alternate to the other path.

@mistydemeo mistydemeo force-pushed the keg_apply_code_signatures branch from b73d9b6 to 99527b6 Compare November 4, 2020 05:13
@mistydemeo
Keg: apply ad-hoc signature on 10.15 or later
14a07e1 
This is an alternative to Homebrew#9040. In that case, we rely on ruby-macho to
apply code signatures after changing ID or install_name. Here, we instead
do that ourselves so that we can choose what OS to apply it on. Like in
that PR, we swallow any failures so that we don't inadvertently break
more exotic packages like OpenJDK (which caused issues in Homebrew#8922).
@mistydemeo mistydemeo force-pushed the keg_apply_code_signatures branch from 99527b6 to 14a07e1 Compare November 4, 2020 05:23
MikeMcQuaid
MikeMcQuaid reviewed Nov 4, 2020
View reviewed changes
Library/Homebrew/os/mac/keg.rb
@require_relocation = true
odebug "Changing dylib ID of #{file}\n from #{file.dylib_id}\n to #{id}"
MachO::Tools.change_dylib_id(file, id, strict: false)
apply_ad_hoc_signature(file)
Copy link
Member

@MikeMcQuaid MikeMcQuaid Nov 4, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be nice to keep this logic in ruby-macho with MachO::Tools.codesign or similar which would allow replacing it with a native (i.e. not shelling out to codesign) version at some point in the future. See also: #9040 (comment)

@fxcoudert
Copy link
Member

fxcoudert commented Nov 8, 2020

Linking to discussion in #9082

@fxcoudert fxcoudert mentioned this pull request Nov 10, 2020
Merged
@fxcoudert
Copy link
Member

fxcoudert commented Nov 16, 2020

I've taken this idea, plus the consensus from the discussion in #9082, in the PR at #9102 which was merged. I think this can safely be closed.

@fxcoudert fxcoudert closed this Nov 16, 2020
@BrewTestBot BrewTestBot added the outdated PR was locked due to age label Dec 17, 2020
@Homebrew Homebrew locked as resolved and limited conversation to collaborators Dec 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@MikeMcQuaid MikeMcQuaid MikeMcQuaid left review comments

Assignees

No one assigned

Labels

outdated PR was locked due to age

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mistydemeo @fxcoudert @MikeMcQuaid @BrewTestBot