removeReferencesToVendoredSources: sign aarch64-darwin binaries (#418)

--------- Co-authored-by: Simon Zlender <simonz@btcx.com> Co-authored-by: Ivan Petkov <ivanppetkov@gmail.com>
2024-11-26 09:08:57 +03:00 · 2023-10-15 22:09:08 +02:00 · 2023-10-15 22:09:08 +02:00 · 47f84c5b60
commit 47f84c5b60
parent e5ec5d9e10
8 changed files with 194 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -28,6 +28,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
  ([#410](https://github.com/ipetkov/crane/pull/410))
 * When using `installCargoArtifactsMode = "use-zstd";` all files will be marked
  as user-writable while compressing
+* `removeReferencesToVendoredSources` now signs `aarch64-darwin` binaries. ([#418](https://github.com/ipetkov/crane/pull/418))

 ## [0.14.1] - 2023-09-23

--- a/checks/codesign/Cargo.lock
+++ b/checks/codesign/Cargo.lock
@ -0,0 +1,143 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "bitflags"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635"
+
+[[package]]
+name = "cc"
+version = "1.0.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "codesign"
+version = "0.1.0"
+dependencies = [
+ "openssl",
+]
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "libc"
+version = "0.2.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b"
+
+[[package]]
+name = "once_cell"
+version = "1.18.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"
+
+[[package]]
+name = "openssl"
+version = "0.10.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bac25ee399abb46215765b1cb35bc0212377e58a061560d8b29b024fd0430e7c"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.93"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db4d56a4c0478783083cfafcc42493dd4a981d41669da64b4572a2a089b51b1d"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.33"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.38"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
--- a/checks/codesign/Cargo.toml
+++ b/checks/codesign/Cargo.toml
@ -0,0 +1,10 @@
+[package]
+name = "codesign"
+version = "0.1.0"
+edition = "2021"
+
+[profile.release]
+debug = true
+
+[dependencies]
+openssl = "*"
--- a/checks/codesign/src/main.rs
+++ b/checks/codesign/src/main.rs
@ -0,0 +1,3 @@
+fn main() {
+    openssl::ssl::SslConnector::builder(openssl::ssl::SslMethod::tls()).unwrap();
+}
--- a/checks/default.nix
+++ b/checks/default.nix
@ -12,6 +12,7 @@ let
    extensions = [ "llvm-tools" ];
  });
  x64Linux = pkgs.hostPlatform.system == "x86_64-linux";
+  aarch64Darwin = pkgs.hostPlatform.system == "aarch64-darwin";
 in
 {
  bzip2Sys = myLib.buildPackage {
@ -113,6 +114,19 @@ in
    };
  });

+  # https://github.com/ipetkov/crane/issues/417
+  codesign = lib.optionalAttrs aarch64Darwin (
+    let
+      codesignPackage = myLib.buildPackage {
+        src = ./codesign;
+        nativeBuildInputs = [ pkgs.pkg-config pkgs.libiconv ];
+        buildInputs = [ pkgs.openssl ];
+        dontStrip = true;
+      };
+    in
+    pkgs.runCommand "codesign" { } "${codesignPackage}/bin/codesign > $out"
+  );
+
  compilesFresh = callPackage ./compilesFresh.nix { };
  compilesFreshSimple = self.compilesFresh "simple" (myLib.cargoBuild) {
    src = ./simple;
--- a/docs/API.md
+++ b/docs/API.md
@ -1546,6 +1546,8 @@ sources themselves. It takes two positional arguments:
   * Note: it is expected that this directory has the exact structure as would
     be produced by `craneLib.vendorCargoDeps`

+Any patched binaries on `aarch64-darwin` will be [signed](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). You can disable this functionality by setting `doNotSign`.
+
 **Automatic behavior:** if `cargoVendorDir` is set and
 `doNotRemoveReferencesToVendorDir` is not set, then
 `removeReferencesToVendoredSources "$out" "$cargoVendorDir"` will be run as a
--- a/lib/setupHooks/removeReferencesToVendoredSources.nix
+++ b/lib/setupHooks/removeReferencesToVendoredSources.nix
@ -1,10 +1,26 @@
-{ makeSetupHook
+{ lib
+, makeSetupHook
+, pkgsBuildBuild
+, stdenv
 }:

+let
+  darwinCodeSign = stdenv.targetPlatform.isDarwin && stdenv.targetPlatform.isAarch64;
+in
 makeSetupHook
 {
  name = "removeReferencesToVendoredSourcesHook";
  substitutions = {
    storeDir = builtins.storeDir;
+    sourceSigningUtils = lib.optionalString darwinCodeSign ''
+      source ${pkgsBuildBuild.darwin.signingUtils}
+    '';
+    signIfRequired = lib.optionalString darwinCodeSign ''
+      if [ -n "''${doNotSign-}" ]; then
+        echo "not signing ''${installedFile} as requested";
+      else
+        signIfRequired "''${installedFile}"
+      fi
+    '';
  };
 } ./removeReferencesToVendoredSourcesHook.sh
--- a/lib/setupHooks/removeReferencesToVendoredSourcesHook.sh
+++ b/lib/setupHooks/removeReferencesToVendoredSourcesHook.sh
@ -26,9 +26,13 @@ removeReferencesToVendoredSources() {

      echo -n '\)!@storeDir@/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee!g'
    )
+
+    @signIfRequired@
  done < <(find "${installLocation}" -type f)
 }

+@sourceSigningUtils@
+
 if [ -n "${doNotRemoveReferencesToVendorDir-}" ]; then
  echo "removeReferencesToVendoredSources disabled"
 elif [ -n "${cargoVendorDir-}" ]; then