Code signature stripped on Darwin
nwjsmith opened this issue · 2 comments
nwjsmith commented
I'm having trouble running the RenderScript compiler, llvm-rs-cc because code signatures are stripped from a dylib in build-tools. This is relevant part of the error I'm hitting:
/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/lib/libbcinfo.dylib' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?))
and the full error if you're an avid reader:
dyld[67033]: Library not loaded: @rpath/libbcinfo.dylib
Referenced from: /nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/llvm-rs-cc
Reason: tried: '/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/../lib64/libbcinfo.dylib' (no such file), '/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/lib64/libbcinfo.dylib' (code signature in <29EBED16-7F80-352A-800D-1461AD671135> '/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/lib/libbcinfo.dylib' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/../lib64/libbcinfo.dylib' (no such file), '/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/lib64/libbcinfo.dylib' (code signature in <29EBED16-7F80-352A-800D-1461AD671135> '/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/lib/libbcinfo.dylib' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/usr/lib/libbcinfo.dylib' (no such file)
I can check the signatures with codesign. libbcinfo.dylib has an ad-hoc signature:
codesign --display --verbose /nix/store/sbvgm391717xz44fq1s3q0pwd7xpgzcr-android-sdk-env/share/android-sdk/build-tools/32.0.0/lib/libbcinfo.dylib
Executable=/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/lib/libbcinfo.dylib
Identifier=libbcinfo.dylib
Format=Mach-O thin (x86_64)
CodeDirectory v=20400 size=2792 flags=0x2(adhoc) hashes=82+2 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12
and llvm-rs-cc is signed, by Google presumably:
Executable=/nix/store/gxylpsxax2xad9dljfw0dqa47zbsss3r-build-tools-32-0-0-32/llvm-rs-cc
Identifier=llvm-rs-cc
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=7510 flags=0x10000(runtime) hashes=229+2 location=embedded
Signature size=9041
Timestamp=Nov 19, 2021 at 3:53:41 AM
Info.plist=not bound
TeamIdentifier=EQHXZ8M8AV
Runtime Version=10.13.0
Sealed Resources=none
Internal requirements count=1 size=172
This brings us to the bug in android-nixpkgs. When I download the build tools ZIP directly, both llvm-rs-cc and libbcinfo.dylib are signed:
$ codesign --display --verbose ~/Downloads/android-12/lib64/libbcinfo.dylib
Executable=/Users/nsmith/Downloads/android-12/lib64/libbcinfo.dylib
Identifier=libbcinfo
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=2805 flags=0x10000(runtime) hashes=82+2 location=embedded
Signature size=9041
Timestamp=Nov 19, 2021 at 3:53:40 AM
Info.plist=not bound
TeamIdentifier=EQHXZ8M8AV
Runtime Version=10.13.0
Sealed Resources=none
Internal requirements count=1 size=172
$ codesign --display --verbose ~/Downloads/android-12/llvm-rs-cc
Executable=/Users/nsmith/Downloads/android-12/llvm-rs-cc
Identifier=llvm-rs-cc
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=7510 flags=0x10000(runtime) hashes=229+2 location=embedded
Signature size=9041
Timestamp=Nov 19, 2021 at 3:53:41 AM
Info.plist=not bound
TeamIdentifier=EQHXZ8M8AV
Runtime Version=10.13.0
Sealed Resources=none
Internal requirements count=1 size=172
Is there a way to preserve the signatures from the originals?
nwjsmith commented
I've found a workaround!
(build-tools-32-0-0.overrideAttrs (oldAttrs: {
dontStrip = true;
}))Since everything is being unpacked from archives anyway, should dontStrip = true be added to mkGeneric?
nwjsmith commented
Alternatively, I can figure out why llvm-rs-cc isn't being stripped and fix that for build-tools