strip does ad-hoc code signatures on darwin

[flavorjones]

Problem being solved

Using the osxcross strip tool invalidates the ad-hoc code signature:

/opt/osxcross/target/bin/aarch64-apple-darwin20.2-strip: warning: changes being made to the file will invalidate the code signature in: /home/flavorjones/code/oss/grpc/tmp/arm64-darwin/grpc_c/3.2.0/grpc_c.bundle

This results in the binary being unusable, see tpoechtrager/osxcross#305

Approach used

codesign installed from thefloweringash/sigtool

This PR builds and installs https://github.com/thefloweringash/sigtool to provide a /usr/bin/codesign utility in the OSX cross-compilation environment. (Note that I'm using a personal branch that fixes a bug in the Makefile, see thefloweringash/sigtool#14).

codesign_allocate made discoverable

The codesign tool relies on codesign_allocate. This tool is provided by osxcross, but is named with the toolchain prefix. To allow codesign to find it, this PR symlinks the underlying binary executable into /usr/bin/codesign_allocate.

sigtool allows setting the codesign_allocate command via environment variable CODESIGN_ALLOCATE but since the goal is to make codesign easy to use, I chose instead to symlink:

ln -s /opt/osxcross/target/bin/x86_64-apple-darwin[0-9]*-codesign_allocate /usr/bin/codesign_allocate

Also note that osxcross's aarch64-apple-darwin20.2-codesign_allocate is a symlink to the x86_64 binary, so the architecture here doesn't seem to matter.

strip behavior

This PR also provides a wrapper script for strip that will ad-hoc codesign the stripped file automatically, making strip a safe command to run.

Testing

I didn't add test coverage. Testing this seems to requires setting up a complex integration test scenario that involves a darwin test worker running a "real" version of codesign. It may even need to be apple silicon? I'm not sure. I'm also not sure the effort is worth testing a third-party tool. Let me know if you disagree or have other ideas.

[larskanis]

LGTM, but I wonder if codesign could be integrated into the strip command. I already built a wrapper for the strip command for MINGW here: https://github.com/rake-compiler/rake-compiler-dock/blob/master/Dockerfile.mri.erb#L211
Similar we could wrap strip in MacOS, to return stripped and signed binaries.

[flavorjones]

I wonder if codesign could be integrated into the strip command

Oh, I love this idea. Let me go do that.

[flavorjones]

@larskanis Updated with a wrapper for strip on darwin.

[flavorjones]

OK, I've verified that with this PR I can create a precompiled, stripped grpc gem for both arm64-darwin and x86_64-darwin.

@larskanis unless you have objections, I'd like to merge this and cut a point release.

[larskanis]

No objections. Is the strip command executed somewhere as part of our current tests?

[flavorjones]

Is the strip command executed somewhere as part of our current tests?

No, currently neither of the wrappers is being tested as part of the suite. Let me see if I can find time today to add that, and think about what a meaningful test would even look like (there's no way to validate codesigning except on a darwin machine).

[flavorjones]

@larskanis I added test coverage for the "strip" wrappers.

Any other thoughts before I merge? Any objections to me cutting a patch release for this?

[larskanis]

LGTM, great work! Interesting approach to add strip to the extension Makefile.

[flavorjones]

I'll cut a release in the next few days.