Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-101695

Detect overriding of an existing signature and exit early saying to use -codesign

    XMLWordPrintable

Details

    Description

      macdeployqt uses install_name_tool to modify the rpaths embedded in the binaries / frameworks / libraries it processes.

      On arm mac machines like M1, if one of the processed binaries has an explicit signature (not a ad-hoc one added implicitly by the linker), using install_name_tool will break the signature.
      Running the app will then fail (killed).
      Console shows

      CODE SIGNING: process 86140[app]: rejecting invalid page at address 0x104324000 from offset 0x0 in file "~/small_app_and_lib_signed/build/app.app/Contents/Frameworks/Core.framework/Versions/A/Core" (cs_mtime:1647280809.427209526 == mtime:1647280809.427209526) (signed:1 validated:1 tainted:1 nx:0 wpmapped:0 dirty:0 depth:0)

      This can be fixed by calling macdeployqt with codesign option, which will override the broken signature with a new valid one.

      It would be nice if macdeployqt detected this situation, and exited early telling the user they should rerun macdeployqt with -codesign.

      Sample cmake project to reproduce the issue without qt and macdeloyqt on an m1 mac:

      cmake_minimum_required(VERSION 3.16)
project(proj)
set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)

file(GENERATE OUTPUT "core.cpp" CONTENT "\
int foo() { return 0; }")

add_library(Core SHARED core.cpp)
set_target_properties(Core PROPERTIES
    FRAMEWORK 1
    LIBRARY_OUTPUT_DIRECTORY "${CMAKE_BINARY_DIR}/app.app/Contents/Frameworks"
)

file(GENERATE OUTPUT "main.cpp" CONTENT "\
extern int foo();
int main(int, char**) {
    int a = foo();
    return 0;
}")

add_executable(app MACOSX_BUNDLE main.cpp)
target_link_libraries(app PRIVATE Core)

set(core_path ${CMAKE_BINARY_DIR}/app.app/Contents/Frameworks/Core.framework/Core)
add_custom_target(clean_rpath ALL
    COMMAND sh -c
            "install_name_tool -delete_rpath foo ${core_path} || /usr/bin/true"
    VERBATIM
)
add_dependencies(clean_rpath Core app)
add_custom_target(sign ALL
    COMMAND codesign -vvv --sign - --force
            "${CMAKE_BINARY_DIR}/app.app/Contents/Frameworks/Core.framework/Core"
    VERBATIM
)
add_dependencies(sign clean_rpath)
add_custom_target(modify ALL
    COMMAND sh -c
            "install_name_tool -add_rpath foo ${core_path} || /usr/bin/true"
    VERBATIM
)
add_dependencies(modify sign)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-101696 Consider dependencies that start with @loader_path for code signing when using -executable option

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Reported
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              vestbo Tor Arne Vestbø
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes