Fake sign darwin arm64 binaries using ldid

lucor · Mar 9, 2021 · f9ae7eb · f9ae7eb
1 parent 705254e
commit f9ae7eb
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/internal/command/darwin.go b/internal/command/darwin.go
@@ -127,6 +127,14 @@ func (cmd *Darwin) Run() error {
 				return err
 			}
 
+			if ctx.Architecture == ArchArm64 {
+				// arm64 arch requires that executables are signed (using any signature).
+				err = darwinSignBinary(ctx)
+				if err != nil {
+					return err
+				}
+			}
+
 			packageName = fmt.Sprintf("%s.app", ctx.Name)
 			srcFile = volume.JoinPathHost(ctx.TmpDirHost(), ctx.ID, packageName)
 

diff --git a/internal/command/docker.go b/internal/command/docker.go
@@ -373,3 +373,33 @@ func pullImage(ctx Context) error {
 	log.Infof("[✓] Image is up to date")
 	return nil
 }
+
+// darwinSignBinary fake signs ARM binaries
+// with ldid tool provided by osxcross
+func darwinSignBinary(ctx Context) error {
+	log.Infof("[i] Signing arm64 binary using a fake certificate...")
+
+	if ctx.OS != darwinOS || ctx.Architecture != ArchArm64 {
+		return fmt.Errorf("binary signing is supported only for darwin arm64")
+	}
+
+	bin := volume.JoinPathContainer(ctx.BinDirContainer(), ctx.ID, ctx.Name)
+	args := []string{"ldid", "-S", bin}
+
+	// workDir default value
+	workDir := ctx.WorkDirContainer()
+
+	runOpts := Options{
+		CacheEnabled: ctx.CacheEnabled,
+		WorkDir:      workDir,
+		Debug:        ctx.Debug,
+		Env:          ctx.Env,
+	}
+
+	err := Run(ctx.DockerImage, ctx.Volume, runOpts, args)
+	if err != nil {
+		return fmt.Errorf("could not sign the binary %s,  %v", bin, err)
+	}
+	log.Infof("[✓] Signed binary: %s", bin)
+	return nil
+}