rcodesign does not work with go-made binaries that use cgo; getting __LINKEDIT isn't final Mach-O segment #17
Comments
|
I have found this random thread I tried to put
However, that issue above should be fixed in go for about 7 years. |
|
I tried "regular" Apple codesign, and it can sign the linked binary. So, the issue is on rcodesign side. |
I have simplified signing and enabled notarization in docker with rcodesign (a Rust-based tool, fully open-source; but it does connect to Apple servers for notarization). This tool enables notarization and signing fully in Docker on any OS, so it should work in CLI too. There is some prep-work that needs to be done on Mac OS side and on Apple website; but after that, the signing and notarization works automatically. It's not directly relevant to this commit, but I think you can also use it on Trezor Suite; a cursory glance there tells me that Trezor Suit is using electron-notarize, which needs to be run on Mac OS; rcodesign does not need that. Note that we need to use ldflags -s because of this issue of rcodesign https://github.com/indygreg/PyOxidizer/issues/636
I have simplified signing and enabled notarization in docker with rcodesign (a Rust-based tool, fully open-source; but it does connect to Apple servers for notarization). This tool enables notarization and signing fully in Docker on any OS, so it should work in CLI too. There is some prep-work that needs to be done on Mac OS side and on Apple website; but after that, the signing and notarization works automatically. It's not directly relevant to this commit, but I think you can also use it on Trezor Suite; a cursory glance there tells me that Trezor Suit is using electron-notarize, which needs to be run on Mac OS; rcodesign does not need that. Note that we need to use ldflags -s because of this issue of rcodesign https://github.com/indygreg/PyOxidizer/issues/636
I have simplified signing and enabled notarization in docker with rcodesign (a Rust-based tool, fully open-source; but it does connect to Apple servers for notarization). This tool enables notarization and signing fully in Docker on any OS, so it should work in CLI too. There is some prep-work that needs to be done on Mac OS side and on Apple website; but after that, the signing and notarization works automatically. It's not directly relevant to this commit, but I think you can also use it on Trezor Suite; a cursory glance there tells me that Trezor Suit is using electron-notarize, which needs to be run on Mac OS; rcodesign does not need that. Note that we need to use ldflags -s because of this issue of rcodesign https://github.com/indygreg/PyOxidizer/issues/636
I have simplified signing and enabled notarization in docker with rcodesign (a Rust-based tool, fully open-source; but it does connect to Apple servers for notarization). This tool enables notarization and signing fully in Docker on any OS, so it should work in CLI too. There is some prep-work that needs to be done on Mac OS side and on Apple website; but after that, the signing and notarization works automatically. It's not directly relevant to this commit, but I think you can also use it on Trezor Suite; a cursory glance there tells me that Trezor Suit is using electron-notarize, which needs to be run on Mac OS; rcodesign does not need that. Note that we need to use ldflags -s because of this issue of rcodesign https://github.com/indygreg/PyOxidizer/issues/636
igor-hnizdo
changed the title
indygreg
added
enhancement
indygreg
changed the title
|
Thank you for the detailed bug report! Since Apple's tooling supports this scenario and CGO is kind of popular, we should definitely try to make this work. Our logic for embedding code signatures in Mach-O binaries is somewhat conservative, as we don't want to be in the business of implementing a fully-featured Mach-O linker. That's why there are various assertions and limitations sprinkled throughout. For the sample binary you pointed me at, the Mach-O segment layout is thus: The segment order in the Mach-O headers defines If But since in this case it is only the segment definition order that is out-of-order, I think we're fine and this is simply a case of the logic checking for the segment order checking the definition order instead of the more semantically correct file order. I think it should be safe for us to simply update the logic checking the segment order and this should just work. But I also wouldn't be surprised if the Mach-O rewriting code made assumptions about the segment definition order. So we need to check for that as well. Thanks again for the bug report! |
|
I did not upload you the signed binary if I sign by Apple own codesign; I don't want to do that as there are info I don't want to share (sorry). But you can do that yourself :) |
rcodesign does not work on binaries, built with go, that use cgo.
To reproduce:
GOOS=darwin GOARCH=arm64 go buildhttps://github.com/igor-hnizdo/cgo-example
OR
get the binary from here
https://github.com/igor-hnizdo/cgo-example/releases/tag/v1
rcodesign sign --p12-file <file> --p12-password-file <password> --code-signature-flags runtime cgo-exampleexpected:
everything works.
What I got:
The text was updated successfully, but these errors were encountered: