From 9e29176f21060f749b1090bd51151264db3b0687 Mon Sep 17 00:00:00 2001 From: Geoff Reedy Date: Fri, 24 Feb 2023 16:36:34 -0700 Subject: [PATCH] fix: use codesign -f to replace existing signature When using dune in macOS + nix, the nix tooling adds a codesigning hook so when dune goes to sign files after substitution there is already an existing signature which fails the build as could be seen in the failure of the promote-only-when-needed test. The failure can be avoided by providing the -f option to codesign which will replace any existing signatures on the file. However, when -f is used and a signature is replaced, codesign prints a message that it is replacing the existing signature. This additional message pollutes dune's output and causes spurious failures of the cram tests on macOS + nix. This secondary negative effect is eliminated by running the codesign tool with output swallowed as long as the tool runs successfully. Fixes #6365 Signed-off-by: Geoff Reedy --- src/dune_rules/artifact_substitution.ml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/dune_rules/artifact_substitution.ml b/src/dune_rules/artifact_substitution.ml index d7bac7347743..d402068184f4 100644 --- a/src/dune_rules/artifact_substitution.ml +++ b/src/dune_rules/artifact_substitution.ml @@ -52,7 +52,13 @@ type conf = } let mac_codesign_hook ~codesign path = - Process.run ~display:Quiet Strict codesign [ "-s"; "-"; Path.to_string path ] + let stdout_to = + Process.Io.make_stdout Execution_parameters.Action_output_on_success.Swallow + in + let stderr_to = + Process.Io.make_stderr Execution_parameters.Action_output_on_success.Swallow + in + Process.run ~stdout_to ~stderr_to ~display:Quiet Strict codesign [ "-f"; "-s"; "-"; Path.to_string path ] let sign_hook_of_context (context : Context.t) = let config = context.ocaml_config in