[PD-dev] codesigning externals (was Re: building fluidsynth~)

[IOhannes m zmoelnig]

On 5/3/22 17:39, Roman Haefeli wrote:
> 
> Then there is the issue with codesigning that I don't see completely
> through yet. It seems on arm64/Monterey, I automatically get signed
> binaries (adhoc signed, equivalent to 'codesign -s -') when building
> externals. However, when I apply the localdep script to to such an
> external file, it cannot be loaded afterwards. Pd immediately quits as
> soon as it loads the external. An already signed binary
> cannot/shouldnot be modified afterwards.

ah interesting.
for whatever reasons i've setup our CI to automatically sign all 
externals after building, though i always thought this to be a 
superfluous exercise (as Pd should have the permissions to load unsigned 
libraries).
nice to hear that this step is actually useful.

it seems quite obvious that changing the binary (such as changing it's 
search paths for dependencies, which is what the localdeps.macos.sh 
script does) will invalidate any code signature (as the entire point of 
the code signature is to guarantee that nobody has tempered with the 
binary).

i guess that while Pd has the permission to load *unsigned* externals, 
macOS still refuses to load *signed* externals with an invalid signature.


so if indeed Monterey (or more likely: the XCode version you are using) 
automatically does an ad-hoc signing of all produced binaries, this 
would explain the current behaviour.


it *might* be enough to just run "codesign --remove-signature"  on the 
modified binaries. if you could confirm this, i will update my localdeps 
script.

gfmadsr
IOhannes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20220504/de8e0804/attachment-0001.sig>