Skip to content

fix: ad-hoc codesign compiled binaries on Apple Silicon after build #1003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
voidborne-d wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: ad-hoc codesign compiled binaries on Apple Silicon after build #1003

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions setup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,23 @@ if [ "$NEEDS_BUILD" -eq 1 ]; then
if [ ! -f "$SOURCE_GSTACK_DIR/browse/dist/.version" ]; then
git -C "$SOURCE_GSTACK_DIR" rev-parse HEAD > "$SOURCE_GSTACK_DIR/browse/dist/.version" 2>/dev/null || true
fi

# macOS Apple Silicon: ad-hoc codesign compiled binaries.
# Bun's --compile can produce a corrupt or linker-only code signature that
# macOS kills with SIGKILL (exit 137). The two-step remove+re-sign is
# required because a naive `codesign -s - -f` fails when the existing
# signature block is corrupt. This is idempotent and costs <1s.
# See: https://github.com/garrytan/gstack/issues/997
if [ "$(uname -s)" = "Darwin" ] && [ "$(uname -m)" = "arm64" ]; then
for _bin in browse/dist/browse browse/dist/find-browse design/dist/design bin/gstack-global-discover; do
_bin_path="$SOURCE_GSTACK_DIR/$_bin"
[ -f "$_bin_path" ] && [ -x "$_bin_path" ] || continue
codesign --remove-signature "$_bin_path" 2>/dev/null || true
if ! codesign -s - -f "$_bin_path" 2>/dev/null; then
log "warning: codesign failed for $_bin (binary may not run on Apple Silicon)"
fi
done
fi
fi

if [ ! -x "$BROWSE_BIN" ]; then
Expand Down
77 changes: 77 additions & 0 deletions test/setup-codesign.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
import { describe, test, expect } from 'bun:test';
import { spawnSync } from 'child_process';
import * as path from 'path';
import * as fs from 'fs';
import * as os from 'os';

const ROOT = path.resolve(import.meta.dir, '..');
const SETUP_SCRIPT = path.join(ROOT, 'setup');

describe('setup: Apple Silicon codesign', () => {
test('setup script contains codesign block for Darwin arm64', () => {
const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8');
// Verify the codesign guard checks both Darwin and arm64
expect(content).toContain('$(uname -s)" = "Darwin"');
expect(content).toContain('$(uname -m)" = "arm64"');
// Verify remove-then-resign two-step pattern
expect(content).toContain('codesign --remove-signature');
expect(content).toContain('codesign -s - -f');
});

test('codesign block covers all compiled binaries', () => {
const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8');
// Extract the binaries from the codesign for-loop
const forMatch = content.match(/for _bin in ([^;]+);/);
expect(forMatch).toBeTruthy();
const binaries = forMatch![1].trim().split(/\s+/);
// All four compiled binaries from `bun run build` must be covered
expect(binaries).toContain('browse/dist/browse');
expect(binaries).toContain('browse/dist/find-browse');
expect(binaries).toContain('design/dist/design');
expect(binaries).toContain('bin/gstack-global-discover');
});

test('codesign block is inside the NEEDS_BUILD=1 branch', () => {
const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8');
// The codesign block should appear after `bun run build` and before the
// `if [ ! -x "$BROWSE_BIN" ]` guard that checks the build succeeded.
const buildIdx = content.indexOf('bun run build');
const codesignIdx = content.indexOf('codesign --remove-signature');
const browseCheckIdx = content.indexOf('gstack setup failed: browse binary missing');
expect(buildIdx).toBeGreaterThan(-1);
expect(codesignIdx).toBeGreaterThan(buildIdx);
expect(browseCheckIdx).toBeGreaterThan(codesignIdx);
});

test('codesign block is idempotent (skips missing binaries)', () => {
const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8');
// The loop must guard with a file-existence + executable check before codesigning
expect(content).toContain('[ -f "$_bin_path" ] && [ -x "$_bin_path" ] || continue');
});

test('codesign failure is a warning, not a fatal error', () => {
const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8');
// On codesign failure, log a warning but don't exit
expect(content).toContain('warning: codesign failed for');
// Should NOT have `set -e` causing exit on codesign failure
// (the `|| true` after --remove-signature and the if-guard around -s - -f handle this)
expect(content).toContain('codesign --remove-signature "$_bin_path" 2>/dev/null || true');
});

test('codesign shell snippet is syntactically valid', () => {
// Extract the codesign block and validate it parses as bash
const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8');
const match = content.match(
/# macOS Apple Silicon: ad-hoc codesign[\s\S]*?done\n\s*fi/
);
expect(match).toBeTruthy();
const snippet = match![0];
// Wrap in a function to make it a complete script, then syntax-check
const testScript = `#!/usr/bin/env bash\nset -e\n_test_fn() {\n${snippet}\n}\n`;
const result = spawnSync('bash', ['-n', '-c', testScript], {
stdio: ['pipe', 'pipe', 'pipe'],
timeout: 5000,
});
expect(result.status).toBe(0);
});
});