From 1733a6851324286ffb35bd7d406916a8af035528 Mon Sep 17 00:00:00 2001 From: geekinney Date: Sun, 3 May 2026 21:06:04 +0800 Subject: [PATCH] xtask: re-sign binaries after pdump fingerprint patch on macOS Patching the pdump fingerprint modifies the executable image in-place, which invalidates the macOS code signature. Without a valid signature the kernel sends SIGKILL (signal 9) when the binary is executed during the pbootstrap and pdump steps. After copy_executable_role_images copies the patched final_bin to the temacs and bootstrap roles, re-sign all three binaries with an ad-hoc signature (codesign --sign -) so the kernel accepts them. Fixes build failure on Apple Silicon: error: command failed with status signal: 9 (SIGKILL): neomacs-temacs --batch -l loadup --temacs=pbootstrap --- xtask/src/main.rs | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/xtask/src/main.rs b/xtask/src/main.rs index 0ad2b3eaa..5292846fa 100644 --- a/xtask/src/main.rs +++ b/xtask/src/main.rs @@ -386,6 +386,26 @@ fn run_fresh_build(options: &FreshBuildOptions) -> Result<()> { patch_primary_executable_fingerprint(options, &paths)?; copy_executable_role_images(options, &paths)?; + // macOS: re-sign all role binaries after patching. Patching the pdump + // fingerprint modifies the executable image in-place, which invalidates + // the code signature. Without a fresh ad-hoc signature the kernel sends + // SIGKILL when the binary is executed (exit status: signal 9). + #[cfg(target_os = "macos")] + { + for bin in [&paths.temacs, &paths.bootstrap, &paths.final_bin] { + if bin.exists() { + let status = std::process::Command::new("codesign") + .args(["--force", "--sign", "-", bin.to_str().unwrap()]) + .status()?; + if !status.success() { + return Err( + format!("codesign failed on {}", bin.display()).into() + ); + } + } + } + } + if !options.dry_run { ensure_binaries_exist(&paths)?; }