New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicitly add ad hoc code signing on macOS #5650
Explicitly add ad hoc code signing on macOS #5650
Conversation
b30e9c6
to
8f2e04d
Compare
I think this is probably going to be the way to go. However, I think this PR should also include changes to the Mac build notes. |
My original implementation turned out to be faulty, since I was trying to gather a list of files in the installation location before they were created. Subsequently I went through 3 different iterations of possible solutions (adding cmake commands to the string executed at the end, using Failures in the CI seem unrelated to this PR BTW |
I am going to also investigate adding the "linker-signed" flag which might solve some of the problem without re-signing. https://gitlab.kitware.com/cmake/cmake/-/issues/21854 |
07bade0
to
b01eb4b
Compare
This turns out to be available only on macOS 11+ and I'm not sure if it would fix the issue with macdeployqt touching binaries (to be tested though - I'm not on M1 currently). In the meantime I think I found a more proper solution to #4664 - original solution was to disable codesigning altogether; that didn't seem like the best idea to me and I found that running Finally, I don't know how/what to document here. This doesn't seem to change anything about building locally (aside from making it work on M1) and AFAIU does not change anything about signing the releases either. Before this PR local builds always had invalid signatures. While code signatures for local builds were not required to run them on earlier macOS systems (before Big Sur and M1), making this change for all builds seems fine to me, as it results in binaries with valid (albeit still ad-hoc) signatures. |
Fixes incremental builds for Xcode 11+
b01eb4b
to
933c380
Compare
I am happy with this PR now. I updated the first comment to give a clear description of the current changes. Here's what changed from the previous version:
|
Spoke too soon, something is wrong... |
The issue was that the build wouldn't open after moving to another computer (the message was The missing part was signature on the app bundle itself ( It is worth noting, that the message on Big Sur has changed because the app is signed. Previously it was |
Note: signing DiskIO_UGens is needed for servers from incremental builds to start properly on arm64 (M1) hardware
0123bf7
to
531324e
Compare
It turned out, that I needed to sign all the ugens after all |
Fixes #5603
On macOS all binaries needs to be signed when run on M1 hardware (arm64 / aarch64)
When building, the binaries are signed ad hoc, however it turns out that
macdeployqt
, as well as manipulations withinstall_name_tool
invalidate these signatures.I propose the solution that runs ad hoc signing after the
macdeployqt
step.I'm open to suggestions whether this is the desired solution and if there's a better name for the introduced CMake flag.
The PR includes the following changes:
CMakeLists.txt
to trigger ad-hoc codesigning after building (SC_CODESIGN_AFTER_DEPLOY
, defaults toON
, macOS only)SuperCollider
,sclang
,scsynth
,supernova
, all.framework
and.dylib
files inContents/Frameworks/
,DiskIO_UGens
plugins, andSuperCollider.app
itself (last).SuperCollider
binary is signed with the--deep
flag to avoidcode object is not signed at all
error; signing other files is done without that flagDiskIO_UGens
was needed due to a rather obscure issue with codesigning - the servers would not boot, but only after incremental builds, while running fine on clean builds. Signing this specific ugen file seems to have fixed that. I made a note of it in the commit message.--deep
flag to build-time codesigning for theSuperCollider
target. This seems to me like a more proper solution to [build] MacOS incremental builds broken #4664 than turning off build-time codesigning altogether.SC_DISABLE_XCODE_CODESIGNING
by default, as I don't think it's needed anymore.Purpose and Motivation
Types of changes
To-do list