[PD-dev] codesigning externals (was Re: building fluidsynth~)
IOhannes m zmoelnig
zmoelnig at iem.at
Wed May 4 08:32:40 CEST 2022
On 5/3/22 17:39, Roman Haefeli wrote:
>
> Then there is the issue with codesigning that I don't see completely
> through yet. It seems on arm64/Monterey, I automatically get signed
> binaries (adhoc signed, equivalent to 'codesign -s -') when building
> externals. However, when I apply the localdep script to to such an
> external file, it cannot be loaded afterwards. Pd immediately quits as
> soon as it loads the external. An already signed binary
> cannot/shouldnot be modified afterwards.
ah interesting.
for whatever reasons i've setup our CI to automatically sign all
externals after building, though i always thought this to be a
superfluous exercise (as Pd should have the permissions to load unsigned
libraries).
nice to hear that this step is actually useful.
it seems quite obvious that changing the binary (such as changing it's
search paths for dependencies, which is what the localdeps.macos.sh
script does) will invalidate any code signature (as the entire point of
the code signature is to guarantee that nobody has tempered with the
binary).
i guess that while Pd has the permission to load *unsigned* externals,
macOS still refuses to load *signed* externals with an invalid signature.
so if indeed Monterey (or more likely: the XCode version you are using)
automatically does an ad-hoc signing of all produced binaries, this
would explain the current behaviour.
it *might* be enough to just run "codesign --remove-signature" on the
modified binaries. if you could confirm this, i will update my localdeps
script.
gfmadsr
IOhannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20220504/de8e0804/attachment-0001.sig>
More information about the Pd-dev
mailing list