Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for macOS signing. #1049

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add support for macOS signing. #1049

wants to merge 10 commits into from

Conversation

bruce-one
Copy link
Contributor

@bruce-one bruce-one commented Apr 12, 2023
edited

What this PR does / why we need it:

This PR fixes macOS signing in the same way that pkg does.

Which issue(s) this PR fixes:

Fixes #446

Special notes for your reviewer:

I've tested these steps manually (using ldid to try the signing step), but haven't tested them as part of the nexe codebase as I don't have access to a mac... got some access :-) All working here :-)

The impl isn't using any streaming or any such, but the binary shouldn't be big enough to cause any real memory pressure I'd have thought? But perhaps it could be tweaked to work via streams or similar, for now I just wanted to create the draft PR in case it can help others :-) (And perhaps cleanup is a later thing? 馃し :-) )

Until it's releasable, something akin to the following would work as a workaround:

build.js

const isDarwin = require('os').platform() === 'darwin'
nexe.compile({
  output: 'blah',
  patches: [(compiler, next) => isDarwin ? compiler.replaceInFileAsync('lib/internal/process/pre_execution.js', '16000)', '1600000)').then(next) : next()]
  ...
}).then(() => {
  if (isDarwin) {
    const { patchMachOExecutable } = require('pkg/lib-es5/mach-o')

    writeFileSync('blah', patchMachOExecutable(readFileSync('blah')))
  }
})

or, if done via the command line:

$ nexe --output output-blah --patch as-above-in-a-file.js ...
$ npm i pkg
$ node -e 'const target = process.argv[1]; fs.writeFileSync(target, require("pkg/lib-es5/mach-o").patchMachOExecutable(fs.readFileSync(target)))' output-blah

@bruce-one
Copy link
Contributor Author

bruce-one commented Apr 12, 2023
edited

(Actually; this might break the nexe execution; just double checking :-( ) solved :-)

@bruce-one bruce-one force-pushed the macos-signing branch 3 times, most recently from 4038996 to 5fd87e2 Compare April 13, 2023 02:41
@bruce-one bruce-one marked this pull request as ready for review April 13, 2023 02:41
@calebboyd
Copy link
Member

Thanks for opening this. Lets leave it as reference and address it after zipfs is in?

@bruce-one
Add missing debug log.
c03adb6
@bruce-one
Fix support for Node 18.19.0.
4e60807
@bruce-one
macOS integration test fix handle /private paths properly.
d25d40b 
On macOS the temp path is a symlink and this was making the `/snapshot`
resolution (`this.root` vs `/snapshot` in the zipFs) not work properly.

This feels a bit like a workaround, but the path being different to the
executable was the culprit in the tests not working - and that's manual
code in the integration test script, and due to the custom entrypoint
for Mochs, so don't think it is a workaround :-)
@bruce-one
Remove Azure pipelines, to be replaced with GHA.
5ab6369
@bruce-one bruce-one force-pushed the macos-signing branch 2 times, most recently from 60de481 to aa10495 Compare January 27, 2024 20:42
@bruce-one
Add GitHub action for building the nexe asset.
80f05c3
@bruce-one
Add support for macOS signing.
1305d92 
Using the technique from pkg vercel/pkg#1164.
@bruce-one
Cleanup footer stat() by using the open fd.
4ddfe18
@bruce-one
Increase tail size on macOS to handle signing.
84e4b90 
As it is appended to the end of the file.

From my testing I saw 844000 ish as the `footerPosition`, so going up to
1600000 seemed sane.
@bruce-one
Look through the file to find the nexe footer.
fcd05a8 
Rather than hoping we find it on the first read.

When doing macOS signing the signature and entitlements are placed after
the nexe sentinel, so we may not find it immediately.
@bruce-one
Ignore false-failure in integration test cleanup.
2751f04 
This shouldn't make the test execution fail.

It seems to popup occasionally for some Windows removal racing, or similar.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calebboyd calebboyd calebboyd left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

macOS codesign fails
2 participants
@bruce-one @calebboyd