Call codesign after artifact substitution on macos

[emillon]

Closes #5650

For future reference:

• Technical Note TN2206 - macOS Code Signing In Depth
• documentation of adhoc
• open source implementation of codesign - in particular see this part about ad-hoc mode

[Blaisorblade]

Thanks for putting this together — this is encouraging!

I found a relevant failing testcase in main (using promotion), and tested it with this patch; I still get a SIGSEGV running hello.exe, and codesign says that one copy of hello.exe is invalid and one is signed — IIUC, the promoted copy is invalid:

$ codesign -vv _build/.sandbox/7100408e722289ef78bb707a62e7dc76/default/test/blackbox-tests/test-cases/promote/hello.exe
_build/.sandbox/7100408e722289ef78bb707a62e7dc76/default/test/blackbox-tests/test-cases/promote/hello.exe: invalid signature (code or signature have been modified)
In architecture: arm64
$ codesign -vv _build/.sandbox/7100408e722289ef78bb707a62e7dc76/default/test/blackbox-tests/test-cases/promote/_build/default/hello.exe
_build/.sandbox/7100408e722289ef78bb707a62e7dc76/default/test/blackbox-tests/test-cases/promote/_build/default/hello.exe: valid on disk
_build/.sandbox/7100408e722289ef78bb707a62e7dc76/default/test/blackbox-tests/test-cases/promote/_build/default/hello.exe: satisfies its Designated Requirement

Full logs here: https://gist.github.com/Blaisorblade/ca97b3c117798832a19fbcb7f7d51efb.

Two unfortunate notes:

• Some other failures on Mac remain and some of those might be unrelated.
• I'm traveling so I might not respond promptly.

[emillon]

It's weird, it looks like target promotion should already use the copy_file path through ~promote_source...
Note to self: OTOH, bin/install_uninstall.ml does not use this, and is doing non-atomic copies at the moment.

[Et7f3]

Random note: codesign isn't reproductible. So the non signed binary should be preserved in the cache.

[emillon]

Random note: codesign isn't reproductible. So the non signed binary should be preserved in the cache.

I understand that the signature is going to be different every time, but the signature is stored in a xattr or something, right? I don't think we're considering that piece of data when computing the hash. So it doesn't matter if the signature is fresh or comes from the cache.

(and if this is an issue, it's an issue for "normal" binaries too, since a freshly linked binary is going to have a different signature from one pulled from the cache)

[emillon]

Hmm, I might be mistaken. According to some docs, the signature is part of the mach-o file. It's in a xattr just for non-mach-o binaries. So there might be something to do for the cache in general.

[emillon]

I now have access to a M1 machine. I fixed a couple issues and now the main testsuite is passing! There are still issues with the fsevents tests but they're disabled in CI so that's less of an issue.

[Blaisorblade]

There are still issues with the fsevents tests but they're disabled in CI so that's less of an issue.

Can you disabile them from dune test or document what to run on M1?

[emillon]

Can you disabile them from dune test or document what to run on M1?

One hacky way of doing that is by running CI=true make test. I'd like to fix this issue too but I have not identified the cause yet.

[Blaisorblade]

Thanks! I confirm that this MR + unset DUNE_CACHE + CI=true make test gives me a successful test run!

[emillon]

Regarding reproducibility of code signing: my understanding is that ad-hoc signatures are not signatures in the cryptographic sense - they only record a hash of the data that would be signed. So the process of calling codesign -s - on a binary is reproducible.

For future reference:

• Technical Note TN2206 - macOS Code Signing In Depth
• documentation of adhoc
• open source implementation of codesign - in particular see this part about ad-hoc mode

[emillon]

The fsevent thing is unrelated, I'll open a new issue (edit: it's #6151).

[bobot]

Thank you a lot for tackling this issue. Just a little needed change (if you agree that it is needed 😸 )

[rgrinberg]

LGTM

[correnson]

✅ Tested on my mac M1: works perfectly!