Skip to content
This repository has been archived by the owner on Jan 13, 2024. It is now read-only.

Commit

Permalink
Ad-hoc sign the fabricator binary temporarily to generate bytecode on…
Browse files Browse the repository at this point in the history
… macOS

The fetched/built base binaries MUST NOT have an existing signature if we
want to sign the final executable. However, we do need to run the base binary
to generate bytecode on macOS, and the binary has to be signed due to the new
mandatory signing requirement.

This change ad-hoc signs the base binary to allow pkg to generate bytecode on
macOS.
  • Loading branch information
jesec committed May 5, 2021
1 parent 567ff46 commit 00a3e2e
Showing 1 changed file with 13 additions and 2 deletions.
15 changes: 13 additions & 2 deletions lib/index.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
/* eslint-disable require-atomic-updates */

import assert from 'assert';
import { execSync } from 'child_process';
import {
existsSync,
Expand All @@ -9,10 +10,11 @@ import {
stat,
readFileSync,
writeFileSync,
copyFileSync,
} from 'fs-extra';
import { need, system } from 'pkg-fetch';
import assert from 'assert';
import minimist from 'minimist';
import { need, system } from 'pkg-fetch';
import os from 'os';
import path from 'path';

import { log, wasReported } from './log';
Expand Down Expand Up @@ -564,6 +566,15 @@ export async function exec(argv2: string[]) {
if (f && bytecode) {
f.binaryPath = await needViaCache(f as NodeTarget);

if (f.platform === 'macos') {
// ad-hoc sign the base binary temporarily to generate bytecode
// due to the new mandatory signing requirement
const signedBinaryPath = `${f.binaryPath}-signed`;
copyFileSync(f.binaryPath, signedBinaryPath);
execSync(`codesign --sign - ${signedBinaryPath}`);
f.binaryPath = signedBinaryPath;
}

if (f.platform !== 'win') {
await plusx(f.binaryPath);
}
Expand Down

0 comments on commit 00a3e2e

Please sign in to comment.