fix: use codesign -f to replace existing signature

When using dune in macOS + nix, the nix tooling adds a codesigning hook so when dune goes to sign files after substitution there is already an existing signature which fails the build as could be seen in the failure of the promote-only-when-needed test. The failure can be avoided by providing the -f option to codesign which will replace any existing signatures on the file. However, when -f is used and a signature is replaced, codesign prints a message that it is replacing the existing signature. This additional message pollutes dune's output and causes spurious failures of the cram tests on macOS + nix. This secondary negative effect is eliminated by running the codesign tool with output swallowed as long as the tool runs successfully. Fixes #6365 Signed-off-by: Geoff Reedy <geoff@programmer-monk.net>
ocaml · Feb 24, 2023 · 9e29176 · 9e29176
1 parent 6fa1a17
commit 9e29176
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/dune_rules/artifact_substitution.ml b/src/dune_rules/artifact_substitution.ml
@@ -52,7 +52,13 @@ type conf =
   }
 
 let mac_codesign_hook ~codesign path =
-  Process.run ~display:Quiet Strict codesign [ "-s"; "-"; Path.to_string path ]
+    let stdout_to =
+      Process.Io.make_stdout Execution_parameters.Action_output_on_success.Swallow
+    in
+    let stderr_to =
+      Process.Io.make_stderr Execution_parameters.Action_output_on_success.Swallow
+    in
+    Process.run ~stdout_to ~stderr_to ~display:Quiet Strict codesign [ "-f"; "-s"; "-"; Path.to_string path ]
 
 let sign_hook_of_context (context : Context.t) =
   let config = context.ocaml_config in