{"id":471,"date":"2014-10-02T01:56:07","date_gmt":"2014-10-02T08:56:07","guid":{"rendered":"http:\/\/porkrind.org\/missives\/?p=471"},"modified":"2014-10-03T13:57:10","modified_gmt":"2014-10-03T20:57:10","slug":"mac-os-x-codesigning-woes","status":"publish","type":"post","link":"https:\/\/porkrind.org\/missives\/mac-os-x-codesigning-woes\/","title":{"rendered":"Mac OS X codesigning woes"},"content":{"rendered":"

I just discovered this wonderful bug. Apparently “hdiutil makehybrid<\/tt>” is stripping code signatures in some cases.<\/p>\n

I first verify the code signature on an App (a build of Emacs<\/a>, in this case)\u2014there are no errors:<\/p>\n

$ codesign --verify _dmg-build\/Emacs.app\/\r\n$<\/pre>\n
I then use “hdiutil makehybrid<\/tt>” to create a disk image out of the directory.<\/p>\n
$ hdiutil makehybrid -hfs -hfs-volume-name \"Emacs Test\" -hfs-openfolder _dmg-build _dmg-build -o \/tmp\/tmp.dmg<\/pre>\n
I then mount the created image and run try to verify the signature again\u2014but this time it fails!<\/p>\n
$ open \/tmp\/tmp.dmg\r\n$ codesign --verify \/Volumes\/Emacs\\ Test\/Emacs.app\/\r\n\/Volumes\/Emacs Test\/Emacs.app\/: code object is not signed at all\r\nIn subcomponent: \/Volumes\/Emacs Test\/Emacs.app\/Contents\/MacOS\/bin-i386-10_5\/grep-changelog<\/pre>\n
Investigating further, I use “xattr<\/tt>” to list the extended attributes on the “grep-changelog<\/tt>” file. First, the good file:<\/p>\n
$ xattr _dmg-build\/Emacs.app\/Contents\/MacOS\/bin-i386-10_5\/grep-changelog\r\ncom.apple.cs.CodeDirectory\r\ncom.apple.cs.CodeRequirements\r\ncom.apple.cs.CodeSignature<\/pre>\n
And now the bad file:<\/p>\n
$ xattr \/Volumes\/Test\\ Emacs\/Emacs.app\/Contents\/MacOS\/bin-i386-10_5\/grep-changelog\r\ncom.apple.FinderInfo<\/pre>\n
Yup, all the code signature stuff is completely gone! (The “FinderInfo<\/tt>” stuff is OK, it’s just there as a side effect of mounting the disk image).<\/p>\n
I’m not exactly sure how to fix this. Apple recently changed code signing requirements so that 10.9.5 now requires deep signatures (way to change something fundamental in a point release, guys). Also the only thing that correctly makes the deep signatures is Xcode 6 which was released only about 1 week before 10.9.5 was released (way to give advanced warning, guys).<\/p>\n
2014-10-03 Update:<\/strong><\/p>\n
I filed a bug with Apple and they suggested I use “hdiutil create -srcfolder<\/tt>” instead of “makehybrid<\/tt>“. This does copy the extended attributes correctly. I had originally not used “create<\/tt>” for two reasons: It didn’t have the “-hfs-openfolder<\/tt>” option and the man page claims that only “makehybrid<\/tt>” makes optimally small filesystems. Turns out that “create -srcfolder<\/tt>” automatically does the same thing as “makehybrid -hfs-openfolder<\/tt>” (though it is not documented in the man page) and in practice the resulting .dmg<\/tt>s are just as small or smaller. Problem solved!<\/p>\n","protected":false},"excerpt":{"rendered":"
I just discovered this wonderful bug. Apparently “hdiutil makehybrid” is stripping code signatures in some cases. I first verify the code signature on an App (a build of Emacs, in this case)\u2014there are no errors: $ codesign –verify _dmg-build\/Emacs.app\/ $ I then use “hdiutil makehybrid” to create a disk image out of the directory. $ … Continue reading Mac OS X codesigning woes<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-471","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/comments?post=471"}],"version-history":[{"count":13,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/471\/revisions"}],"predecessor-version":[{"id":484,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/471\/revisions\/484"}],"wp:attachment":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/media?parent=471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/categories?post=471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/tags?post=471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}