From 0b55f9adba1f52d2aed171ca902d44fffa114af0 Mon Sep 17 00:00:00 2001 From: Jesse Chan Date: Wed, 5 May 2021 19:27:11 +0800 Subject: [PATCH] Ad-hoc sign the fabricator binary temporarily to generate bytecode on macOS The fetched/built base binaries MUST NOT have an existing signature if we want to sign the final executable. However, we do need to run the base binary to generate bytecode on macOS, and the binary has to be signed due to the new mandatory signing requirement. This change ad-hoc signs the base binary to allow pkg to generate bytecode on macOS. --- lib/index.ts | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/index.ts b/lib/index.ts index 095778bc8..968176bf7 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -1,5 +1,6 @@ /* eslint-disable require-atomic-updates */ +import assert from 'assert'; import { execSync } from 'child_process'; import { existsSync, @@ -9,10 +10,10 @@ import { stat, readFileSync, writeFileSync, + copyFileSync, } from 'fs-extra'; -import { need, system } from 'pkg-fetch'; -import assert from 'assert'; import minimist from 'minimist'; +import { need, system } from 'pkg-fetch'; import path from 'path'; import { log, wasReported } from './log'; @@ -564,6 +565,16 @@ export async function exec(argv2: string[]) { if (f && bytecode) { f.binaryPath = await needViaCache(f as NodeTarget); + if (f.platform === 'macos') { + // ad-hoc sign the base binary temporarily to generate bytecode + // due to the new mandatory signing requirement + const signedBinaryPath = `${f.binaryPath}-signed`; + await remove(signedBinaryPath); + copyFileSync(f.binaryPath, signedBinaryPath); + execSync(`codesign --sign - ${signedBinaryPath}`); + f.binaryPath = signedBinaryPath; + } + if (f.platform !== 'win') { await plusx(f.binaryPath); }