Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

removeReferencesToVendoredSources: sign aarch64-darwin binaries #418

Merged
merged 4 commits into from
Oct 15, 2023
Merged

removeReferencesToVendoredSources: sign aarch64-darwin binaries #418

merged 4 commits into from
Oct 15, 2023

Conversation

simonzkl
Copy link
Contributor

@simonzkl simonzkl commented Oct 11, 2023
edited by ipetkov
Loading

Motivation

Fixes #417

On aarch64-darwin we need to sign binaries. Usually this is done automatically, but it seems the signature is invalidated when we patch binaries using removeReferencesToVendoredSources.

Checklist

  • added tests to verify new behavior
  • added an example template or updated an existing one
  • updated docs/API.md (or general documentation) with changes
  • updated CHANGELOG.md

@ipetkov
Copy link
Owner

ipetkov commented Oct 12, 2023

Hi @simonzkl thanks for the PR and the test case!

I think there's a simpler way of solving this problem: removing references later in the build (after signing has had a chance to run)! It looks like nixpkgs will perform signing as a fixup hook. Currently references are removed as a postInstall step but if we changed that to a post fixup hook it might work out?

@simonzkl
Copy link
Contributor Author

I could be wrong but my understanding is that signing runs as part of the clang build when you run cargo build, not as a hook of the buildPackage derivation. So I'm not sure if we actually have any control over this.

@simonzkl
Copy link
Contributor Author

@ipetkov actually you're right. Moving removeReferencesToVendoredSources to fixupHooks does solve the issue. I updated the PR.

ipetkov
ipetkov approved these changes Oct 13, 2023
View reviewed changes
Copy link
Owner

@ipetkov ipetkov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, thanks again for the fix!

@ipetkov ipetkov enabled auto-merge (squash) October 13, 2023 02:09
@ipetkov ipetkov changed the title removeReferencesToVendoredSources: codesign on aarch64-darwin removeReferencesToVendoredSources: run as fixup hook Oct 13, 2023
@ipetkov
Copy link
Owner

ipetkov commented Oct 13, 2023

Uh oh, we've got a regression! Actually it looks like the hook isn't running at all, maybe we need to specify postFixupHooks?

@simonzkl
Copy link
Contributor Author

simonzkl commented Oct 13, 2023
edited
Loading

Ah sorry, it seems I fixed the issue by not running the hook at all. Changing it to preFixupHooks/postFixupHooks fixes that, but reintroduces the issue. I think my initial understanding that the signing part runs as part of cargo build was correct so this is not going to work. If you look at remove-references-to in nixpkgs, they manually run the signing hook, so I think we need to do the same.

auto-merge was automatically disabled October 13, 2023 06:16

Head branch was pushed to by a user without write access

@simonzkl
Copy link
Contributor Author

I reverted back to the old approach, but I'm happy to do it differently if there's a better idea. Should we revert postFixupHooks back to postInstallHooks? Technically this is closer to a fixup hook, but it is a breaking change I suppose.

@ipetkov
Copy link
Owner

ipetkov commented Oct 13, 2023

Ah I apologize for sending you down the wrong path, I had mistakenly assumed the signing was always being done by the stdenv and we were somehow clobbering it, when in reality we have to explicitly sign because we patch the binary afterwards?

Anyway this seems like the appropriate path (at least it fixes the issues even if I'm still fuzzy on the details)

Should we revert postFixupHooks back to postInstallHooks? Technically this is closer to a fixup hook, but it is a breaking change I suppose.

Yes let's revert this (also yay no longer a breaking change!) we can circle back to the change log when this is ready to merge

ipetkov
ipetkov reviewed Oct 13, 2023
View reviewed changes
lib/setupHooks/removeReferencesToVendoredSourcesHook.sh Outdated Show resolved Hide resolved
lib/setupHooks/removeReferencesToVendoredSourcesHook.sh Outdated Show resolved Hide resolved
docs/API.md Outdated Show resolved Hide resolved
CHANGELOG.md Outdated Show resolved Hide resolved
@simonzkl simonzkl changed the title removeReferencesToVendoredSources: run as fixup hook removeReferencesToVendoredSources: sign aarch64-darwin binaries Oct 15, 2023
@ipetkov ipetkov enabled auto-merge (squash) October 15, 2023 17:50
@ipetkov
Copy link
Owner

ipetkov commented Oct 15, 2023

Gonna restart the workflow once the darwin examples cache (looks like we're stuck compiling gcc atm): https://github.com/ipetkov/crane/actions/runs/6525453459/job/17718153027

@ipetkov ipetkov merged commit 47f84c5 into ipetkov:master Oct 15, 2023
8 checks passed
@rvolosatovs rvolosatovs mentioned this pull request Nov 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ipetkov ipetkov ipetkov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Binary compiled with dontStrip = true crashes
2 participants
@simonzkl @ipetkov