-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS packaging: Perform ad-hoc signing of macOS bundle by default #4774
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks reasonable. Thank you for the detailed and helpful comments!
Could be merged after confirmed to work as expected.
Hm, so there seems to be an issue with dynamic linking here, Mixxx crashes at startup and notes that one of the libraries didn't pass the validation check:
The reason why I didn't encounter this issue on ARM was presumably that I linked the dependencies statically, circumventing the issue. I am not entirely sure why this happens with ad-hoc signatures, Team ID-based library validation doesn't make much sense there (at least I would think so). According to a thread on the Apple developer forums disabling library validation might be an option (since we're making an unsigned build this shouldn't be much of a security issue), perhaps the easiest way would be not passing entitlements at all if the signing identity is set to |
Maybe we have messed up something when building the environment. Can you check if this is also an issue with the main branch and using this patch? |
I am using the GitHub Actions build from this repo of this PR, so that shouldn't be the issue |
Not entirely sure why I was statically linking previously either, apparently the newer 2.4+ buildenvs produce static libraries and the older ones contain dylibs, but I haven't figured out why... |
We have moved form our Jenkins server with custom scripts and dynamic libraries to a vcpkg based solution which is using static builds by default. |
vcpkg builds static libraries by default on macOS (and Linux) (microsoft/vcpkg#19127). The 2.3 dependencies were not built with vcpkg (https://github.com/mixxxdj/buildserver) |
So it sounds like we have too options, disabling library validation for these private PR builds or merge this PR to main. I am not sure if the extra mile for a solution in the dynamic case will pay back. What do you think? |
8f0b40e
to
5916891
Compare
I have solved the issue now by disabling the hardened runtime (which includes library validation) if and only if an ad-hoc code signing identity is used. This should now yield the correct result in all cases, regardless of whether dynamic or static linking is used. Before merging, I would like to verify that it works with the ARM build, otherwise this should be ready for review! |
Seems to work well with the ARM build too. cc @daschuer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you.
Starting with arm64 macOS Apple will require ad-hoc signatures, completely unsigned app bundles will no longer launch:
This branch fixes the issue by setting an ad-hoc signature, which only includes a checksum, by default if no other code signing identity is provided. With this patch, Mixxx launches normally again:
While arm64 macOS isn't officially supported by Mixxx yet, setting an ad-hoc signature on x86 too probably cannot hurt and fixing discrepancies between the x86 and arm64 builds in in advance is IMO always a good idea.
Marked as a draft PR for now since I haven't tested it with the x86 build yet.