Fix deployment of keepassxc-cli and keepassxc-proxy and the autotype plugin #7479
Conversation
alcroito
force-pushed
the
fix_macos_cli_rpath_embedding
branch
from
e124b2b
to
9166373
Compare
alcroito
changed the title
|
Thanks. The same procedure should probably be applied here as well: keepassxc/src/autotype/mac/CMakeLists.txt Lines 8 to 13 in 2423bed Also, do you have any idea why it works for the main binary? Lines 409 to 413 in 4f07103 I am also confused about what has changed for this to be a problem at all. The |
I guess i'll introduce a function to reuse the logic.
I didn't investigate. If this is a recent regression, maybe i can bisect to see when it broke and figure out why. |
This is what I wondered as well. It always worked for the main binary, even with package or without. |
alcroito
force-pushed
the
fix_macos_cli_rpath_embedding
branch
from
9166373
to
50d717f
Compare
|
So i went ahead and investigated what's going on. The commit message has the full explanation.
The main binary does not do any The |
alcroito
changed the title
|
Note that while the current PR fixes the immediate issue, there is potential for improvement by delaying the macdeployqt call on the main app to install time. |
I can say with certainty that that is not the case. First, because I tested it and the paths were fixed. And secondly because users would have been unable to use KeePassXC-Browser or the CLI on macOS. |
That's my assessment at least, you are free to think otherwise :) I confirmed it by checking out the commit that introduced the usage of macdeployqt and doing a clean build and .dmg using it I also tried the commit before it, which directly called install_name_tool -change instead of macdeployqt. I did not try using older CMake versions, but I am skeptical that CMake/cpack changed their behavior / order of installation for .dmg creation. If you still don't believe my assessment, you can try checking out that commit and do a .dmg build yourself. I would be happy to be proven wrong, in which case we'd have more data on whether this is somehow depended on the environment.
Yes, they would have been unable to use them. But how many users were using a 2.7.0 .dmg snapshot? Was there any snapshot up until recently? Wouldn't most testers build it from source, and not use the .dmg? |
|
I believe your assessment FWIW |
|
The issue was originally posted against 2.6.4 (#6042) and we definitely fixed it for follow-up stable versions (we kind of skipped 2.6.5 iirc, but 2.6.6 most certainly works). But you are right, this has apparently never been backported to the branch. The master branch still has the manual install_name_tool fixes. |
|
@phoerious ready to merge this? |
|
Go for it. |
CPack by default invokes the 'make install' target to install all project files into a staging area for further packaging. The order of installation follows the order of install() commands. One of the first install() commands is the one that installs the KeePassXC.app bundle and all the contents inside of it, which includes POST_BUILD copied binaries like keepassxc-cli and keepassxc-proxy. Subsequent install(TARGETS) commands would then override the keepassxc-cli and keepassxc-proxy binaries inside the staging area with the ones which didn't have macdeployqt run on them (the ones from src/cli and src/proxy). Launching the binaries would then fail because of missing rpath adjustments. The libkeepassxc-autotype-cocoa.so library was working fine because there is no install(TARGETS) command for it in a WITH_APP_BUNDLE build, so the POST_BUILD copy with the adjusted rpaths was preserved. To fix the issue and make the handling consistent, macdeployqt is no longer run at POST_BUILD time, but instead at 'make install' time, after each binary is installed by install(TARGETS). libkeepassxc-autotype-cocoa.so also has its install command run unconditionally now. The build dir binaries that are POST_BUILD copied into src/KeePassXC.app continue to run because they use the build dir rpaths that CMake embeds by default. They don't macdeployqt run for them anymore, which slightly speeds up the build time. Fixes: keepassxreboot#7475
droidmonkey
force-pushed
the
fix_macos_cli_rpath_embedding
branch
from
50d717f
to
db7bbb2
Compare
|
@droidmonkey @alcroito I think we have to revert this and find another solution. The patch made it impossible to run the binary on the fly on macOS, because of signature mismatches. Running the binary through the debugger is already the only way to start KeePassXC from my IDE on ARM64, but with this patch even that doesn't work anymore. |
|
Ahhh so that's why appbundle was crashing on me... |
|
Yes, all binaries are signed locally and modifications create signature mismatches. I tested #7509 and it fixes the issue by deferring such changes until install time, which allows me to run binaries from my IDE again. I guess that settles it. In fact, it's even better than before, because I can finally run it without the debugger again. Previously, running KeePassXC from my IDE without the debugger would crash with a signature error. |
|
Seems like you can also run the binary from the local build directory directly again with the post-install method, but not from the DMG generated by |
|
Do you observe these issues only on an m1 mac? What's the exact error you get, so I can know what to look out for. Also, which ad-hoc signing are you referring to? Afaik ad-hoc signing is done by the linker when linking the binaries / shared libraries. |
|
The linker adds an ad-hoc signature, but when you patch a binary's rpath, the hash doesn't match anymore, so Apple Silicon Macs will kill the process immediately. Luckily, with your follow-up PR, it's only a problem with the binaries installed into a bundle, not with the binaries inside the build dir. |
Fixes: #7475
Testing strategy
Tested manually
Type of change