Skip to content

xtask: re-sign binaries after pdump fingerprint patch on macOS #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eval-exec merged 1 commit into from
May 3, 2026
Merged

xtask: re-sign binaries after pdump fingerprint patch on macOS #91

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions xtask/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,26 @@ fn run_fresh_build(options: &FreshBuildOptions) -> Result<()> {
patch_primary_executable_fingerprint(options, &paths)?;
copy_executable_role_images(options, &paths)?;

// macOS: re-sign all role binaries after patching. Patching the pdump
// fingerprint modifies the executable image in-place, which invalidates
// the code signature. Without a fresh ad-hoc signature the kernel sends
// SIGKILL when the binary is executed (exit status: signal 9).
#[cfg(target_os = "macos")]
{
for bin in [&paths.temacs, &paths.bootstrap, &paths.final_bin] {
if bin.exists() {
let status = std::process::Command::new("codesign")
.args(["--force", "--sign", "-", bin.to_str().unwrap()])
.status()?;
if !status.success() {
return Err(
format!("codesign failed on {}", bin.display()).into()
);
Comment on lines +395 to +403
}
}
}
}
Comment on lines +389 to +407
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The current implementation for re-signing binaries on macOS has a few issues that should be addressed to maintain consistency with the rest of the build pipeline:

  1. Dry Run Support: It does not respect the options.dry_run flag. A dry run should print the commands that would be executed without actually running them. Currently, this block either executes the command or does nothing, without informing the user.
  2. Consistency: The project uses a run_command helper (line 2334) to manage external process execution, including logging and error reporting. Bypassing it here leads to inconsistent output and error handling.
  3. Robustness: Using bin.to_str().unwrap() is risky as it will panic if a path contains invalid UTF-8. Using OsString via the run_command interface is safer and more idiomatic in Rust.

Leveraging the existing helpers will resolve these issues and ensure the build script behaves predictably.

    // macOS: re-sign all role binaries after patching.  Patching the pdump
    // fingerprint modifies the executable image in-place, which invalidates
    // the code signature.  Without a fresh ad-hoc signature the kernel sends
    // SIGKILL when the binary is executed (exit status: signal 9).
    #[cfg(target_os = "macos")]
    {
        let codesign = tool_program("codesign");
        for bin in [&paths.temacs, &paths.bootstrap, &paths.final_bin] {
            if options.dry_run || bin.exists() {
                run_command(
                    options,
                    &options.repo_root,
                    &codesign,
                    &[
                        OsString::from("--force"),
                        OsString::from("--sign"),
                        OsString::from("-"),
                        bin.as_os_str().to_os_string(),
                    ],
                    &[],
                )?;
            }
        }
    }


if !options.dry_run {
ensure_binaries_exist(&paths)?;
}
Expand Down
Loading