mac-arm64: Use --force to re-sign linker-signed arm64 code on OS < 11.0

Xcode 12.0b4 and later produce ad-hoc linker-signed code, but codesign --sign on OS versions earlier than 11.0 doesn't know anything about linker-signed code, and only sees an ad-hoc signature that it refuses to replace without --force. Detect this condition by looking for the linker-signed code signature flag in codesign --display output, and adding --force to the codesign --sign invocation if required. --force won't be used on an OS version where codesign --sign should handle this properly on its own, for x86_64 code, for unsigned arm64 code, or for signed but not linker-signed arm64 code. This was tested on macOS 10.15.6 19G2021 by building the "installer" target and running: out/release_arm64/Chromium Packaging/sign_chrome.py \ --identity=- \ --input=out/release_arm64 \ --output=/tmp/release_arm64_signed \ --development Bug: 1130270 Change-Id: I6f817b74b515d7476a59ed200ed79ed4829e2936 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2420529 Commit-Queue: Michael Moss <mmoss@chromium.org> Reviewed-by: Michael Moss <mmoss@chromium.org> Cr-Commit-Position: refs/heads/master@{#808746}

mac-arm64: Use --force to re-sign linker-signed arm64 code on OS < 11.0
Xcode 12.0b4 and later produce ad-hoc linker-signed code, but codesign --sign on OS versions earlier than 11.0 doesn't know anything about linker-signed code, and only sees an ad-hoc signature that it refuses to replace without --force. Detect this condition by looking for the linker-signed code signature flag in codesign --display output, and adding --force to the codesign --sign invocation if required. --force won't be used on an OS version where codesign --sign should handle this properly on its own, for x86_64 code, for unsigned arm64 code, or for signed but not linker-signed arm64 code. This was tested on macOS 10.15.6 19G2021 by building the "installer" target and running: out/release_arm64/Chromium Packaging/sign_chrome.py \ --identity=- \ --input=out/release_arm64 \ --output=/tmp/release_arm64_signed \ --development Bug: 1130270 Change-Id: I6f817b74b515d7476a59ed200ed79ed4829e2936 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2420529 Commit-Queue: Michael Moss <mmoss@chromium.org> Reviewed-by: Michael Moss <mmoss@chromium.org> Cr-Commit-Position: refs/heads/master@{#808746}
8e602f66 · Mark Mentovai · Commit Bot · 7610deeb · 8e602f66
Commit 8e602f66 authored Sep 20, 2020 by Mark Mentovai Committed by Commit Bot Sep 20, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 62 additions and 1 deletion

chrome/installer/mac/signing/signing.py chrome/installer/mac/signing/signing.py +62 -1

No files found.
--- a/chrome/installer/mac/signing/signing.py
+++ b/chrome/installer/mac/signing/signing.py
@@ -7,10 +7,68 @@ bundle that need to be signed, as well as providing utilities to sign them.
 """

 import os.path
+import platform
+import re
+import subprocess

 from . import commands


+def _linker_signed_arm64_needs_force(path):
+    """Detects linker-signed arm64 code that can only be signed with --force
+    on this system.
+
+    Args:
+        path: A path to a code object to test.
+
+    Returns:
+        True if --force must be used with codesign --sign to successfully sign
+        the code, False otherwise.
+    """
+    # On macOS 11.0 and later, codesign handles linker-signed code properly
+    # without the --force hand-holding. Check OS >= 10.16 because that's what
+    # Python will think the OS is if it wasn't built with the 11.0 SDK or later.
+    if [int(x) for x in platform.mac_ver()[0].split('.')] >= [10, 16]:
+        return False
+
+    try:
+        # Look just for --arch=arm64 because that's the only architecture that
+        # has linker-signed code by default. If this were used with universal
+        # code (if there were any), --display without --arch would default to
+        # the native architecture, which almost certainly wouldn't be arm64 and
+        # therefore would be wrong.
+        codesign = subprocess.Popen(
+            ['codesign', '--display', '--verbose', '--arch=arm64', '--', path],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE)
+    except OSError:
+        # Problem running codesign? Don't make the error about this confusing
+        # function. Just return False and let some less obscure codesign
+        # invocation be the error.
+        return False
+
+    (stdout, stderr) = codesign.communicate()
+    if codesign.wait() != 0:
+        # Not signed at all? No problem. No arm64 code? No problem either. Not
+        # code at all? File not found? Well, those don't count as linker-signed
+        # either.
+        return False
+
+    # Yes, codesign --display puts all of this on stderr.
+    match = re.search(b'^CodeDirectory .* flags=(0x[0-9a-f]+)( |\().*$', stderr,
+                      re.MULTILINE)
+    if not match:
+        return False
+
+    flags = int(match.group(1), 16)
+
+    # This constant is from MacOSX11.0.sdk <Security/CSCommon.h>
+    # SecCodeSignatureFlags kSecCodeSignatureLinkerSigned.
+    LINKER_SIGNED_FLAG = 0x20000
+
+    return (flags & LINKER_SIGNED_FLAG) != 0
+
+
 def sign_part(paths, config, part):
    """Code signs a part.

@@ -21,6 +79,9 @@ def sign_part(paths, config, part):
            be in |paths.work|.
    """
    command = ['codesign', '--sign', config.identity]
+    path = os.path.join(paths.work, part.path)
+    if _linker_signed_arm64_needs_force(path):
+        command.append('--force')
    if config.notary_user:
        # Assume if the config has notary authentication information that the
        # products will be notarized, which requires a secure timestamp.
@@ -36,7 +97,7 @@ def sign_part(paths, config, part):
        command.extend(
            ['--entitlements',
             os.path.join(paths.work, part.entitlements)])
-    command.append(os.path.join(paths.work, part.path))
+    command.append(path)
    commands.run_command(command)