Failing to sign .app containing non-mach-o files in MacOS (invalid magic number)

Question

Failing to sign .app containing non-mach-o files in MacOS (invalid magic number)

asmyers opened this issue a year ago · 3 comments

Thanks very much for your amazing work on this, really impressive!
There are a number of invalid magic number issues, but not sure where this should go. I've been exploring using rcodesign for, at least, development builds due to issues in Apple's codesign tool on unattended build systems(errSecInternalComponent fun). However, rcodesign has issues with files in our MacOS directory, which are delivered to us by another team and packed into our application bundle using jpackage.

You can download a signed and notarized version of the latest installer here to see how Apple's tools sign everything. The specific issue that causes the first failure, I assume there will be more, is with one of the .dxl files, the one at path Contents/MacOS/casm/casm.dxl, resulting in this error:

sealing Mach-O file MacOS/casm/casm.dxl
signing Mach-O file Contents/MacOS/casm/casm.dxl
Error: binary parsing error: Invalid magic number: 0x84280100

Apple's signing tools put elements in _CodeResources for these files, I'll attach the full CodeResources file from the bundle (as a .txt to satisfy Github).

I spent some time looking through the code but it wasn't immediately obvious how to resolve this since the decision to treat this as a Mach-O looks like it's made based on a regex matching the location of the files. If you have some pointers I may be able to send a patch, depending on my availability and level of effort for a fix.

Answer 1 · 2023-11-04T10:46:57.000Z

Thanks for the detailed bug report and steps to reproduce!

There are some known issues where bundle signing assumes paths are Mach-O binaries when they aren't. This issue will likely get addressed when we overhaul the bundle signing code. I'm hoping that will be in the next release or two.

Answer 2 · 2023-11-06T04:12:39.000Z

I think this was fixed by 1c63bca. Please test from the main branch or the next release and reopen if this is still broken.

Answer 3 · 2024-04-16T07:54:05.000Z

Hi there,
I'm working on code sign an installer made by "Bitrock(currently belong to VMware) install builder(version 19)", its application contains an installbuilder.sh and osx-x86_64 files under MacOS folder. It's fine if I just sign the Mach-O binary with runtime option, but if I try to sign the whole app, it gives error: Error: binary parsing error: Invalid magic number: 0x23212f62.
Is this related to this issue? @indygreg
(Can offer the test files if you need)