Mac OS X codesigning woes

I just discovered this wonderful bug. Apparently “hdiutil makehybrid” is stripping code signatures in some cases.

I first verify the code signature on an App (a build of Emacs, in this case)—there are no errors:

$ codesign --verify _dmg-build/Emacs.app/
$

I then use “hdiutil makehybrid” to create a disk image out of the directory.

$ hdiutil makehybrid -hfs -hfs-volume-name "Emacs Test" -hfs-openfolder _dmg-build _dmg-build -o /tmp/tmp.dmg

I then mount the created image and run try to verify the signature again—but this time it fails!

$ open /tmp/tmp.dmg
$ codesign --verify /Volumes/Emacs\ Test/Emacs.app/
/Volumes/Emacs Test/Emacs.app/: code object is not signed at all
In subcomponent: /Volumes/Emacs Test/Emacs.app/Contents/MacOS/bin-i386-10_5/grep-changelog

Investigating further, I use “xattr” to list the extended attributes on the “grep-changelog” file. First, the good file:

$ xattr _dmg-build/Emacs.app/Contents/MacOS/bin-i386-10_5/grep-changelog
com.apple.cs.CodeDirectory
com.apple.cs.CodeRequirements
com.apple.cs.CodeSignature

And now the bad file:

$ xattr /Volumes/Test\ Emacs/Emacs.app/Contents/MacOS/bin-i386-10_5/grep-changelog
com.apple.FinderInfo

Yup, all the code signature stuff is completely gone! (The “FinderInfo” stuff is OK, it’s just there as a side effect of mounting the disk image).

I’m not exactly sure how to fix this. Apple recently changed code signing requirements so that 10.9.5 now requires deep signatures (way to change something fundamental in a point release, guys). Also the only thing that correctly makes the deep signatures is Xcode 6 which was released only about 1 week before 10.9.5 was released (way to give advanced warning, guys).

2014-10-03 Update:

I filed a bug with Apple and they suggested I use “hdiutil create -srcfolder” instead of “makehybrid“. This does copy the extended attributes correctly. I had originally not used “create” for two reasons: It didn’t have the “-hfs-openfolder” option and the man page claims that only “makehybrid” makes optimally small filesystems. Turns out that “create -srcfolder” automatically does the same thing as “makehybrid -hfs-openfolder” (though it is not documented in the man page) and in practice the resulting .dmgs are just as small or smaller. Problem solved!

3 thoughts on “Mac OS X codesigning woes”

  1. Cool. Now it doesn’t matter that you’re not serving content over HTTPs.
    Emacs-24.5-1-universal.dmg is downloading…and…

    $ codesign -d --verbose=40 -vvvvv /Volumes/Emacs/Emacs.app/
    Executable=/Volumes/Emacs/Emacs.app/Contents/MacOS/Emacs
    Identifier=org.gnu.Emacs
    Format=bundle with generic
    CodeDirectory v=20200 size=157 flags=0x0(none) hashes=1+3 location=embedded
    Hash type=sha1 size=20
    -3=04ef526df9c994950edcd511a7bd0cf0dcf5228e
    -2=58d39f3be1053c61f3c1e6199625edf532d074a5
    -1=fe66f7ecaba773c871b9c237b974280e84b046f8
    0=4ef678875e0e0f37314b8c187a4e44bf6c9014a9
    CDHash=c067523b2291cbdab72fbd3fb30d03a7ab31897b
    Signature size=8500
    Authority=Developer ID Application: Galvanix
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Timestamp=Apr 12, 2015, 1:22:39 PM
    Info.plist entries=15
    TeamIdentifier=5BRAQAFB8B
    Sealed Resources version=2 rules=12 files=3953
    Internal requirements count=2 size=228

    🙂

    (Interestingly, googling the SHA-1 of the download shows someone’s offering it via bittorrent – http://burnbit.com/torrent/355085/Emacs_24_5_1_universal_dmg)

    (Soon you’ll be able to get regular, free SSL certs for free – https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web and http://www.cacert.org/ is most of the way there today.)

  2. I just installed it with this command, which I often use.

    APPNAME=Emacs ; ASRC=/Volumes/Emacs/”$APPNAME”.app/ ; ADEST=/Applications/”$APPNAME”.INTC.ZIP.app/ ; sudo ditto -X –hfsCompression -v $ASRC $ADEST ; du -sk $ASRC $ADEST ;
    Copying /Volumes/Emacs/Emacs.app/
    152392 /Volumes/Emacs/Emacs.app/
    61908 /Applications/Emacs.INTC.ZIP.app/

    The result is an installation that’s half the size of the default. Consider running a variant of this command as part of your standard script. You’ll save each of your users 90MB of disk space. And this version may launch slightly faster too, as there’s less disk access. If you test that, I’d be curious to hear the results. Thanks for making Emacs available like this!

Leave a Reply

Your email address will not be published. Required fields are marked *