Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

analysis: warn about binaries with invalid macOS SDK version #8043

Merged
merged 2 commits into from Oct 26, 2023
Merged

analysis: warn about binaries with invalid macOS SDK version #8043

merged 2 commits into from Oct 26, 2023

Conversation

rokm
Copy link
Member

@rokm rokm commented Oct 26, 2023

At the end of analysis, verify the macOS SDK version reported by binaries to be collected, and warn when the version is lower than 10.9.0 (this includes cases when version is invalid, i.e., 0.0.0).

According to https://developer.apple.com/forums/thread/132526, hardened runtime requires at least macOS 10.9.0 SDK, so we should warn users about binaries that are expected to cause problems with codesigning and hardened runtime.

@rokm
analysis: warn about binaries with invalid macOS SDK version
1ddd321 
At the end of analysis, verify the macOS SDK version reported by
binaries to be collected, and warn when the version is lower than
10.9.0 (this includes cases when version is invalid, i.e., 0.0.0).

According to https://developer.apple.com/forums/thread/132526,
hardened runtime requires at least macOS 10.9.0 SDK, so we
should warn users about binaries that are expected to cause
problems with codesigning and hardened runtime.
@rokm
Copy link
Member Author

rokm commented Oct 26, 2023

This is a follow-up to #7899, and should make it easier to debug issues with hardened run-time. For example,

189075 INFO: Warnings written to [...]/build/program/warn-program.txt
189983 INFO: Graph cross-reference written to [...]/build/program/xref-program.html
191437 WARNING: Found one or more binaries with invalid or incompatible macOS SDK version:
191437 WARNING:  * '[...]/venv/lib/python3.10/site-packages/sklearn/.dylibs/libomp.dylib', collected as 'sklearn/.dylibs/libomp.dylib'; version: (0, 0, 0)
191437 WARNING: These binaries will likely cause issues with code-signing and hardened runtime!
192058 INFO: checking PYZ

I suppose the issue with old binaries is more likely to occur on x86_64 than on arm64, since the binaries for the latter must have been built with relatively recent tool-chain.

@rokm
tests: fix test_regression::test_issue_5131
df1fbc0 
The test uses dummy binary/extension file, and therefore requires
special handling of `osxutils.get_macos_sdk_versiom`, similar
to what it already has for `bindepend.get_imports`.
@rokm rokm mentioned this pull request Oct 26, 2023
Open
@rokm rokm merged commit d3c0c08 into pyinstaller:develop Oct 26, 2023
18 checks passed
@rokm rokm deleted the warn-on-binaries-with-invalid-macos-sdk branch October 26, 2023 22:23
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bwoodsend bwoodsend bwoodsend approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rokm @bwoodsend