Mac OS X codesigning woes

I just discovered this wonderful bug. Apparently “hdiutil makehybrid” is stripping code signatures in some cases.

I first verify the code signature on an App (a build of Emacs, in this case)—there are no errors:

$ codesign --verify _dmg-build/

I then use “hdiutil makehybrid” to create a disk image out of the directory.

$ hdiutil makehybrid -hfs -hfs-volume-name "Emacs Test" -hfs-openfolder _dmg-build _dmg-build -o /tmp/tmp.dmg

I then mount the created image and run try to verify the signature again—but this time it fails!

$ open /tmp/tmp.dmg
$ codesign --verify /Volumes/Emacs\ Test/
/Volumes/Emacs Test/ code object is not signed at all
In subcomponent: /Volumes/Emacs Test/

Investigating further, I use “xattr” to list the extended attributes on the “grep-changelog” file. First, the good file:

$ xattr _dmg-build/

And now the bad file:

$ xattr /Volumes/Test\ Emacs/

Yup, all the code signature stuff is completely gone! (The “FinderInfo” stuff is OK, it’s just there as a side effect of mounting the disk image).

I’m not exactly sure how to fix this. Apple recently changed code signing requirements so that 10.9.5 now requires deep signatures (way to change something fundamental in a point release, guys). Also the only thing that correctly makes the deep signatures is Xcode 6 which was released only about 1 week before 10.9.5 was released (way to give advanced warning, guys).

2014-10-03 Update:

I filed a bug with Apple and they suggested I use “hdiutil create -srcfolder” instead of “makehybrid“. This does copy the extended attributes correctly. I had originally not used “create” for two reasons: It didn’t have the “-hfs-openfolder” option and the man page claims that only “makehybrid” makes optimally small filesystems. Turns out that “create -srcfolder” automatically does the same thing as “makehybrid -hfs-openfolder” (though it is not documented in the man page) and in practice the resulting .dmgs are just as small or smaller. Problem solved!

3 thoughts on “Mac OS X codesigning woes”

  1. Cool. Now it doesn’t matter that you’re not serving content over HTTPs.
    Emacs-24.5-1-universal.dmg is downloading…and…

    $ codesign -d --verbose=40 -vvvvv /Volumes/Emacs/
    Format=bundle with generic
    CodeDirectory v=20200 size=157 flags=0x0(none) hashes=1+3 location=embedded
    Hash type=sha1 size=20
    Signature size=8500
    Authority=Developer ID Application: Galvanix
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Timestamp=Apr 12, 2015, 1:22:39 PM
    Info.plist entries=15
    Sealed Resources version=2 rules=12 files=3953
    Internal requirements count=2 size=228


    (Interestingly, googling the SHA-1 of the download shows someone’s offering it via bittorrent –

    (Soon you’ll be able to get regular, free SSL certs for free – and is most of the way there today.)

  2. I just installed it with this command, which I often use.

    APPNAME=Emacs ; ASRC=/Volumes/Emacs/”$APPNAME”.app/ ; ADEST=/Applications/”$APPNAME” ; sudo ditto -X –hfsCompression -v $ASRC $ADEST ; du -sk $ASRC $ADEST ;
    Copying /Volumes/Emacs/
    152392 /Volumes/Emacs/
    61908 /Applications/

    The result is an installation that’s half the size of the default. Consider running a variant of this command as part of your standard script. You’ll save each of your users 90MB of disk space. And this version may launch slightly faster too, as there’s less disk access. If you test that, I’d be curious to hear the results. Thanks for making Emacs available like this!

Leave a Reply

Your email address will not be published. Required fields are marked *

Last Modified on: Dec 31, 2014 18:59pm