Comments (3)
roblabla
commented on August 15, 2024
I think the problem comes from as_nested_macho_settings. Essentially, in import_settings_from_macho, we set the binary_identifier for each sub-binary using the SettingsScope::MultiArchIndex scope. The problem is, this happens before the Info.plist is parsed and sets the binary_identifier at the Main scope level (as evidenced by the logs:
WARN apple_codesign::bundle_signing: signing main executable Contents/MacOS/test
at /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/apple-codesign-0.17.0/src/bundle_signing.rs:574
INFO apple_codesign::signing_settings: inferring default signing settings from Mach-O binary
at /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/apple-codesign-0.17.0/src/signing_settings.rs:754
INFO apple_codesign::signing_settings: preserving existing binary identifier in Mach-O
at /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/apple-codesign-0.17.0/src/signing_settings.rs:809
INFO apple_codesign::signing_settings: using team ID from settings
at /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/apple-codesign-0.17.0/src/signing_settings.rs:817
INFO apple_codesign::signing_settings: using code signature flags from settings
at /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/apple-codesign-0.17.0/src/signing_settings.rs:828
INFO apple_codesign::bundle_signing: setting main executable binary identifier to quick.test (derived from CFBundleIdentifier in Info.plist)
at /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/apple-codesign-0.17.0/src/bundle_signing.rs:589
So we now have a SigningSettings that contains both a binary_identifier on scope Main, and binary_identifiers with scope SettingsScope::MultiArchIndex. At this point, as_nested_macho_settings, through clone_with_filter_map, will bring the binary_identifiers with the correct MultiArchIndex scope into the Main scope, potentially colliding with the one set by the Info.plist. And at that point, hell ensues.
I think the proper solution is to either parse the Info.plist first, or make it so that when we set a binary identifier with the main scope in the SigningSettings, it automatically drops those in the Multi* subscopes.
from apple-platform-rs.
roblabla
commented on August 15, 2024
FWIW: I found out about this because TCC had the weirdest behavior with my binaries. My app needs "Full Disk Access" permission, and when I'd tick the box to give it in the "Security & Privacy" preference pannel, it'd untick the next time I'd start. After a lot of debugging, I figured that those different bundle identifiers were the cause! The AArch64 binary didn't match the Info.plist, so macos was very confused about it!
from apple-platform-rs.
indygreg
commented on August 15, 2024
Thanks for filing this.
The binary identifier logic is a bit convoluted and I'm honestly not sure what the correct logic should be! I feel like someone will have to test what codesign does and then emulate that behavior in our code.
from apple-platform-rs.
Related Issues (20)
- Notarization of Electron app fails due to hardened runtime disabled HOT 10
- PackageInfo struct: minimum_system_version field should be an Option<String> instead of Option<bool>
- Support easier integration of rcodesign with other tools
- Authority unavailable when signing in github action HOT 2
- When attempting to sign an app bundle with debug symbols shipped in it, rcodesign fails to properly detect app bundle. HOT 4
- DMG reader doesn't emit proper byte count for Ignore and Zero chunks HOT 1
- The cpio-archive package doesn't appear to support building NewC archives HOT 1
- cpio-archive should support "new crc" format - same as "new ascii" but includes file checksums
- hash mismatch for apple-codesign-0.27.0-x86_64-unknown-linux-musl.tar.gz.sha256 HOT 2
- Compilation error in apple-codesign: method takes 3 generic arguments but 2 generic arguments were supplied HOT 2
- Extract PKG payload using apple-flat-package HOT 2
- Is App Store Connect API Key necessary/not replacable for notary-submit? HOT 2
- pkg signing error
- Sudden notary hanging
- Non-cach-o files sign return error(invalid magic number) and some nested bundle sign issue. HOT 2
- Rcodesign returns configuration file error even if no configuration file is supplied
- Notarization fails with s3 upload error: unhandled error HOT 1
- Notarization option --api-key-file is not configurable via configuration file
- mach-o file signing with invaild signature
- Shortcut Signing (MacOS `shortcuts` cli)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apple-platform-rs.