removeReferencesToVendoredSources: sign aarch64-darwin binaries

ipetkov · Oct 15, 2023 · e8d95d9 · e8d95d9
1 parent 4dcf584
commit e8d95d9
Show file tree

Hide file tree

Showing 8 changed files with 187 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   at build time. ([#407](https://github.com/ipetkov/crane/pull/407))
 * Fixed handling of dummy target names to avoid issues with `cargo doc`.
   ([#410](https://github.com/ipetkov/crane/pull/410))
+* `removeReferencesToVendoredSources` now signs `aarch64-darwin` binaries. ([#418](https://github.com/ipetkov/crane/pull/418))
 
 ## [0.14.1] - 2023-09-23
 

diff --git a/checks/codesign/Cargo.lock b/checks/codesign/Cargo.lock
diff --git a/checks/codesign/Cargo.toml b/checks/codesign/Cargo.toml
@@ -0,0 +1,10 @@
+[package]
+name = "codesign"
+version = "0.1.0"
+edition = "2021"
+
+[profile.release]
+debug = true
+
+[dependencies]
+openssl = "*"
diff --git a/checks/codesign/src/main.rs b/checks/codesign/src/main.rs
@@ -0,0 +1,3 @@
+fn main() {
+    openssl::ssl::SslConnector::builder(openssl::ssl::SslMethod::tls()).unwrap();
+}
diff --git a/checks/default.nix b/checks/default.nix
@@ -12,6 +12,7 @@ let
     extensions = [ "llvm-tools" ];
   });
   x64Linux = pkgs.hostPlatform.system == "x86_64-linux";
+  aarch64Darwin = pkgs.hostPlatform.system == "aarch64-darwin";
 in
 {
   cleanCargoTomlTests = callPackage ./cleanCargoTomlTests { };
@@ -107,6 +108,20 @@ in
     };
   });
 
+  # https://github.com/ipetkov/crane/issues/417
+  codesign = lib.optionalAttrs aarch64Darwin (
+    let
+      codesignPackage = myLib.buildPackage {
+        src = ./codesign;
+        cargoArtifacts = null;
+        nativeBuildInputs = [ pkgs.pkg-config pkgs.libiconv ];
+        buildInputs = [ pkgs.openssl ];
+        dontStrip = true;
+      };
+    in
+    pkgs.runCommand "codesign" { } "${codesignPackage}/bin/codesign > $out"
+  );
+
   compilesFresh = callPackage ./compilesFresh.nix { };
   compilesFreshSimple = self.compilesFresh "simple" (myLib.cargoBuild) {
     src = ./simple;

diff --git a/docs/API.md b/docs/API.md
@@ -1546,6 +1546,8 @@ sources themselves. It takes two positional arguments:
    * Note: it is expected that this directory has the exact structure as would
      be produced by `craneLib.vendorCargoDeps`
 
+Any patched binaries on `aarch64-darwin` will be [signed](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). You can disable this functionality by setting `doNotSign`.
+
 **Automatic behavior:** if `cargoVendorDir` is set and
 `doNotRemoveReferencesToVendorDir` is not set, then
 `removeReferencesToVendoredSources "$out" "$cargoVendorDir"` will be run as a

diff --git a/lib/setupHooks/removeReferencesToVendoredSources.nix b/lib/setupHooks/removeReferencesToVendoredSources.nix
@@ -1,10 +1,18 @@
-{ makeSetupHook
+{ darwin
+, lib
+, makeSetupHook
+, stdenv
 }:
 
+let
+  darwinCodeSign = stdenv.targetPlatform.isDarwin && stdenv.targetPlatform.isAarch64;
+in
 makeSetupHook
 {
   name = "removeReferencesToVendoredSourcesHook";
   substitutions = {
     storeDir = builtins.storeDir;
+    sourceSigningUtils = if darwinCodeSign then "source ${darwin.signingUtils}" else null;
+    signIfRequired = if darwinCodeSign then ''if [ -z "''${doNotSign-}" ]; then signIfRequired "''${installedFile}"; fi'' else null;
   };
 } ./removeReferencesToVendoredSourcesHook.sh
diff --git a/lib/setupHooks/removeReferencesToVendoredSourcesHook.sh b/lib/setupHooks/removeReferencesToVendoredSourcesHook.sh
@@ -26,9 +26,13 @@ removeReferencesToVendoredSources() {
 
       echo -n '\)!@storeDir@/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee!g'
     )
+
+    @signIfRequired@
   done < <(find "${installLocation}" -type f)
 }
 
+@sourceSigningUtils@
+
 if [ -n "${doNotRemoveReferencesToVendorDir-}" ]; then
   echo "removeReferencesToVendoredSources disabled"
 elif [ -n "${cargoVendorDir-}" ]; then