Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

codesign replaces symbolic link with the actual file when signing #10

Open
bkpoon opened this issue Apr 19, 2022 · 1 comment
Open

codesign replaces symbolic link with the actual file when signing #10

bkpoon opened this issue Apr 19, 2022 · 1 comment

Comments

@bkpoon
Copy link

bkpoon commented Apr 19, 2022

This issue came up with the conda-forge package of wxpython on Apple Silicon (conda-forge/wxpython-feedstock#74). The copies of the libraries after signing would cause runtime issues.

One way to reproduce the issue is to copy a library, make a symbolic link, and then try signing the symbolic link.

mkdir test
cd test
cp /usr/lib/ssh-keychain.dylib .
ln -s ssh-keychain.dylib another_lib.dylib

The files should now look like

  0 lrwxr-xr-x  1 bkpoon  staff    18B Apr 19 12:20 another_lib.dylib -> ssh-keychain.dylib
560 -rwxr-xr-x  1 bkpoon  staff   278K Mar 26 00:21 ssh-keychain.dylib

Now try signing with

codesign -s - -f another_lib.dylib

and the files become

496 -rwxr-xr-x  1 bkpoon  staff   245K Apr 19 12:21 another_lib.dylib
560 -rwxr-xr-x  1 bkpoon  staff   278K Mar 26 00:21 ssh-keychain.dylib

For this particular example, the -f is needed because a signature already exists, but the behavior is the same for a file that does not already have a signature and the -f flag is omitted.

Can a check for symbolic links be added so that they are not replaced when signing? Thanks!

@bkpoon
Copy link
Author

bkpoon commented Apr 19, 2022

Also, the codesign command I tested is from conda-forge (sigtool-0.1.3-h7747421_0).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant