build, qt: Fix make deploy on M1-based macOS with system frameworks
#22546
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hebasto
force-pushed
the
210725-deploy
branch
2 times, most recently
from
a3a74ec to
ba962f6
Compare
hebasto
force-pushed
the
210725-deploy
branch
3 times, most recently
from
daaa644 to
4d489dd
Compare
fanquake
reviewed
Jul 29, 2021
contrib/macdeploy/macdeployqtplus
Outdated
| @@ -543,6 +546,9 @@ ds.close() | |||
|
|
|||
| # ------------------------------------------------ | |||
|
|
|||
| if need_to_sign_target and platform.system() == "Darwin" and platform.machine() == "arm64": | |||
There was a problem hiding this comment.
Is there a problem with just always signing in the need_to_sign_target case, i.e non-depends builds, rather than making this specific to arm64?
There was a problem hiding this comment.
Not a problem at all, just not required.
There was a problem hiding this comment.
Probably easier to just always sign then. Otherwise this should have an explainer.
There was a problem hiding this comment.
Is the following comment good as an explanation (compiled from Apple docs):
"In macOS 11 on Macs with Apple silicon the operating system enforces that any executable must be signed before it’s allowed to run. After using tools such as strip or install_name_tool, to call codesign is required to properly ad-hoc sign binaries."
?
There was a problem hiding this comment.
I agree that adding a comment here makes sense. It's not obvious why this would be ARM-only.
There was a problem hiding this comment.
I am of the opinion that it is just easier to always sign. Right now the requirement is only for apple silicon, but I have not seen anything to say that this wouldn't expand to remaining intel Macs in future OS versions.
If we stick with only signing for arm, then the following is a suitable comment:
"Starting with macOS 11 on Apple silicon, executables must be signed before they are allowed to run."
There was a problem hiding this comment.
Probably easier to just always sign then. Otherwise this should have an explainer.
Yeah, it was a hard time for me to choose a right wording. Without the first commit the signing tool returns an error: |
|
Updated 4d489dd -> bbdd588 (pr22546.02 -> pr22546.03, diff):
|
Ok. I'll have a look. This needs a better commit message (with explanation), otherwise by itself, it's not clear what problem it's fixing or why it's the correct solution. |
|
Tested on macOS 11.4 (20F71)
Note: Technically the package import order is not standard.
|
Zero-1729
reviewed
Aug 13, 2021
There was a problem hiding this comment.
tACK bbdd588
Tested on macOS v11.4
On master, the built app from DMG is broken. I get the following error when attempting to launch it:
After Patch
I can confirm this patch fixes that; opening the built app in the DMG works as expected (Bitcoin-Qt.app opens normally).
$ make -j9 deploy
...
+ Adding Qt translations +
+ Installing qt.conf +
+ Generating .DS_Store +
dist/Bitcoin-Qt.app: replacing existing signature
+ Preparing .dmg disk image +
........................................................................................................
created: /Users/abubakar/Github/bitcoin/Bitcoin-Core.temp.dmg
+ Applying fancy settings +
+ Finalizing .dmg disk image +
"disk4" ejected.
Preparing imaging engine…
Reading Protective Master Boot Record (MBR : 0)…
(CRC32 $251F7180: Protective Master Boot Record (MBR : 0))
Reading GPT Header (Primary GPT Header : 1)…
(CRC32 $0E7F79E8: GPT Header (Primary GPT Header : 1))
Reading GPT Partition Data (Primary GPT Table : 2)…
(CRC32 $46B32FF2: GPT Partition Data (Primary GPT Table : 2))
Reading (Apple_Free : 3)…
(CRC32 $00000000: (Apple_Free : 3))
Reading disk image (Apple_APFS : 4)…
.................................................................................................................................................................................
(CRC32 $0AE0B07F: disk image (Apple_APFS : 4))
Reading (Apple_Free : 5)…
.................................................................................................................................................................................
(CRC32 $00000000: (Apple_Free : 5))
Reading GPT Partition Data (Backup GPT Table : 6)…
.................................................................................................................................................................................
(CRC32 $46B32FF2: GPT Partition Data (Backup GPT Table : 6))
Reading GPT Header (Backup GPT Header : 7)…
.................................................................................................................................................................................
(CRC32 $F4C2505D: GPT Header (Backup GPT Header : 7))
Adding resources…
.................................................................................................................................................................................
Elapsed Time: 3.616s
File size: 17954445 bytes, Checksum: CRC32 $CA646B34
Sectors processed: 134790, 80803 compressed
Speed: 10.9Mbytes/sec
Savings: 74.0%
created: /Users/abubakar/Github/bitcoin/Bitcoin-Core.dmg
+ Done +$ file Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt
Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt: Mach-O 64-bit executable arm64
jarolrod
reviewed
Sep 4, 2021
There was a problem hiding this comment.
on an M1 mac, the application is recognized as an IOS application, it should be recognized as Apple Silicon. Obviously, we are not building an IOS application and it is not an IOS executable. The system is just categorizing it wrong. But, why?
My current thinking with what is going on is that it could be related to LSArchitecturePriority, this field is still set as x86_64 when it should be set as arm64:
<key>LSArchitecturePriority</key>
<array>
<string>x86_64</string>
</array>
hebasto
force-pushed
the
210725-deploy
branch
from
bbdd588 to
462e632
Compare
|
Updated bbdd588 -> 462e632 (pr22546.03 -> pr22546.04): |
laanwj
reviewed
Sep 6, 2021
hebasto
added a commit
to bitcoin-core/gui
that referenced
this pull request
Sep 14, 2021
3765c48 qt: fix bitcoin-qt app categorization on apple silicon (Jarol Rodriguez) Pull request description: `System Information` contains many insights into various aspects of your macOS system; the 'Applications' tab contains info on apps. Starting with macOS 11, the 'kind' column under the 'Applications' tab started displaying the CPU architecture of the application. The options are; apple silicon, intel, universal. Previously, the `kind` column indicated where the application originated. The change was made to conveniently determine if the app installed was built to run natively on the new M1 CPU or an intel app that will run under rosetta. Of course, there are several other tools to confirm this; the 'kind' column provides a user-friendly way. We expect that Bitcoin Core compiled, built, and deployed on an intel CPU will be classified as `Intel`. Similarly, we expect that if this is done on an M1 mac, the resulting app is classified as `Apple Silicon`. In reality, Bitcoin-qt built and deployed on an M1 mac will be classified as `IOS`. This behavior is incorrect and should be fixed. We fix this by setting the `CFBundleSupportedPlatforms` in our info.plist to the value of `MacOSX`. In doing this, we are telling macOS, "We do not support IOS; stop it!". Tested and confirmed that this is a no-op on macOS < 11. | On [#22546](bitcoin/bitcoin#22546) Branch | [#22546](bitcoin/bitcoin#22546) + PR Branch | | ------------------------------------------------------------------- | ----------- | |  |  | **To Test:** For testing, our base branch will be [#22546](bitcoin/bitcoin#22546). Please perform the following steps on the base branch and then the base branch with the commit from this PR cherry-picked onto it: - Have an M1 mac - Compile and deploy bitcoin - Open up the deployed *.dmg, installed the bundled app - Eject the bitcoin dmg that should currently be mounted - Navigate to System Information -> Applications - Click on the top-left Apple icon - Click about this mac - Click on the 'Storage' tab - Click on the 'Manage...' button - On the left, click on 'Applications' - Sort by Name - Look for the Bitcoin Core application - Base Branch: The kind column should state that this application is of type `IOS` - PR Branch: The kind column should state that this application is of type `Apple Silicon` Note: Intel users on at least macOS 11 can help test by confirming that the application still shows up as kind=`Intel` ACKs for top commit: hebasto: ACK 3765c48 Tree-SHA512: 666672025e81e59fe1803859a7f9a4fd3b93a3aba05a163ce223c36081dd579b866d071455608011a19d9ba0c3e9f564cca0c4cb941452f2b51f4ef0dfead1fa
hebasto
force-pushed
the
210725-deploy
branch
from
462e632 to
c206adc
Compare
|
Updated 462e632 -> c206adc (pr22546.04 -> pr22546.05):
|
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Sep 15, 2021
…e silicon 3765c48 qt: fix bitcoin-qt app categorization on apple silicon (Jarol Rodriguez) Pull request description: `System Information` contains many insights into various aspects of your macOS system; the 'Applications' tab contains info on apps. Starting with macOS 11, the 'kind' column under the 'Applications' tab started displaying the CPU architecture of the application. The options are; apple silicon, intel, universal. Previously, the `kind` column indicated where the application originated. The change was made to conveniently determine if the app installed was built to run natively on the new M1 CPU or an intel app that will run under rosetta. Of course, there are several other tools to confirm this; the 'kind' column provides a user-friendly way. We expect that Bitcoin Core compiled, built, and deployed on an intel CPU will be classified as `Intel`. Similarly, we expect that if this is done on an M1 mac, the resulting app is classified as `Apple Silicon`. In reality, Bitcoin-qt built and deployed on an M1 mac will be classified as `IOS`. This behavior is incorrect and should be fixed. We fix this by setting the `CFBundleSupportedPlatforms` in our info.plist to the value of `MacOSX`. In doing this, we are telling macOS, "We do not support IOS; stop it!". Tested and confirmed that this is a no-op on macOS < 11. | On [bitcoin#22546](bitcoin#22546) Branch | [bitcoin#22546](bitcoin#22546) + PR Branch | | ------------------------------------------------------------------- | ----------- | |  |  | **To Test:** For testing, our base branch will be [bitcoin#22546](bitcoin#22546). Please perform the following steps on the base branch and then the base branch with the commit from this PR cherry-picked onto it: - Have an M1 mac - Compile and deploy bitcoin - Open up the deployed *.dmg, installed the bundled app - Eject the bitcoin dmg that should currently be mounted - Navigate to System Information -> Applications - Click on the top-left Apple icon - Click about this mac - Click on the 'Storage' tab - Click on the 'Manage...' button - On the left, click on 'Applications' - Sort by Name - Look for the Bitcoin Core application - Base Branch: The kind column should state that this application is of type `IOS` - PR Branch: The kind column should state that this application is of type `Apple Silicon` Note: Intel users on at least macOS 11 can help test by confirming that the application still shows up as kind=`Intel` ACKs for top commit: hebasto: ACK 3765c48 Tree-SHA512: 666672025e81e59fe1803859a7f9a4fd3b93a3aba05a163ce223c36081dd579b866d071455608011a19d9ba0c3e9f564cca0c4cb941452f2b51f4ef0dfead1fa
|
tACK c206adc
|
|
Haven't looked into the code deeply, but I had the exact same problem as #22546 (review), and using this patch fixed it. Apparently codesigning verification with M1 Macs are a lot stricter than with non-M1 Macs, which is what causes the above problem. |
|
Could you rebase this now that #21851 has been merged? |
hebasto
force-pushed
the
210725-deploy
branch
from
c206adc to
c9cb557
Compare
Rebased c206adc -> c9cb557 (pr22546.05 -> pr22546.06). |
Guix builds: |
hebasto
force-pushed
the
210725-deploy
branch
from
c9cb557 to
06909e4
Compare
|
Rebased c9cb557 -> 06909e4 (pr22546.06 -> pr22546.07). |
Guix builds: |
Currently the codesign tool fails to sign copied frameworks.
Starting with macOS 11 on Apple silicon, executables must be signed before they are allowed to run.
hebasto
force-pushed
the
210725-deploy
branch
from
06909e4 to
1513727
Compare
|
Rebased 06909e4 -> 1513727 (pr22546.07 -> pr22546.08) on top of the merged #24348. |
Guix builds: |
fanquake
approved these changes
Feb 23, 2022
There was a problem hiding this comment.
ACK 1513727 - although didn't test on M1 hardware. Given the forced signing is scoped to only occur when running the deploy script on macOS, this doesn't interfere with our release signing.
Guix Build:
bash-5.1# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
0793e0ac20b1f3abc2e5159e9038d70eb0138630eef595782fc996f5e704d68a guix-build-1513727e2b38/output/aarch64-linux-gnu/SHA256SUMS.part
56cdca87802db062b32a4bba60ef7f39e5aee4a9779cef35071cc914fea1bf0e guix-build-1513727e2b38/output/aarch64-linux-gnu/bitcoin-1513727e2b38-aarch64-linux-gnu-debug.tar.gz
576308ed1fb69ebebbce4f7c1252373de8875cd949386b1a13b53fe6d6c954b5 guix-build-1513727e2b38/output/aarch64-linux-gnu/bitcoin-1513727e2b38-aarch64-linux-gnu.tar.gz
0f39af36a605bac0f1bfe5118a1e9e4b0807f6fc25ee72600aabb19bb9a85fb5 guix-build-1513727e2b38/output/arm-linux-gnueabihf/SHA256SUMS.part
04f402e3b75c3643d74e7f1ecbcb9f56e45561d39423755abb9d5f1ecbaa1019 guix-build-1513727e2b38/output/arm-linux-gnueabihf/bitcoin-1513727e2b38-arm-linux-gnueabihf-debug.tar.gz
027ee6368839531b57c1907927dd4967765299447ded1c12cc17c64b13fddbef guix-build-1513727e2b38/output/arm-linux-gnueabihf/bitcoin-1513727e2b38-arm-linux-gnueabihf.tar.gz
0cf76bb70bd6f446a99ea7cade2357cceef16fe63f1d1258087d13642f024f9c guix-build-1513727e2b38/output/arm64-apple-darwin/SHA256SUMS.part
0c9246cef1ae82f37f5618308b477e7548e09ce94613ab9c43e3160a0f0450a7 guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-arm64-apple-darwin.tar.gz
51dcbcfd86e55e36ee299ff4f3a5e2e2baec06755a4b149742616fa5c691a3b5 guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.dmg
fd16a158dd2ae9f90d61de4a8d4e287458d42e5e6b5bd6aece6b2bd18cbc73c5 guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.tar.gz
b18f242456aeeddf37cc31f001221593283b020f35ba72e375f69a4c602a3970 guix-build-1513727e2b38/output/dist-archive/bitcoin-1513727e2b38.tar.gz
6b411193b4a60fb37e7809a1df45e465feaf09ff4ad2d7cbb293e0838774591d guix-build-1513727e2b38/output/powerpc64-linux-gnu/SHA256SUMS.part
5b8d26f66d30de098f790ef3cf632eb8aa85f9c680f6c2cdaee9076227f627c2 guix-build-1513727e2b38/output/powerpc64-linux-gnu/bitcoin-1513727e2b38-powerpc64-linux-gnu-debug.tar.gz
95d6811384228b2b2dca487b87027fc3704416def3d2574df511c1f75febb7af guix-build-1513727e2b38/output/powerpc64-linux-gnu/bitcoin-1513727e2b38-powerpc64-linux-gnu.tar.gz
2887fd0d7f618b1ece5dee2909867606d2ff60e10d9bb4f48d69bcb4f4256948 guix-build-1513727e2b38/output/powerpc64le-linux-gnu/SHA256SUMS.part
a8f9598eefb77bdcbe7317636921d633b1af0210608d9f033027bf1d5d0152f2 guix-build-1513727e2b38/output/powerpc64le-linux-gnu/bitcoin-1513727e2b38-powerpc64le-linux-gnu-debug.tar.gz
0b7851c32dc1df406b71e68a5bd1c61dc4062b4e5a7d08c026ed3191682e5d2a guix-build-1513727e2b38/output/powerpc64le-linux-gnu/bitcoin-1513727e2b38-powerpc64le-linux-gnu.tar.gz
cff4e6eb1afd5fb403e3afebc15b59ae34f593cc956666e692eff1ac0b031eb0 guix-build-1513727e2b38/output/riscv64-linux-gnu/SHA256SUMS.part
093723e11f3fd55feb34acd5fae2c1d48cf9251edfd8e286ccfca26d5b3d4408 guix-build-1513727e2b38/output/riscv64-linux-gnu/bitcoin-1513727e2b38-riscv64-linux-gnu-debug.tar.gz
d8cc7ffdc9e3ce0ff610d0fa71d5eeca18f7f27b9a76a4b21fd89c343a002eaa guix-build-1513727e2b38/output/riscv64-linux-gnu/bitcoin-1513727e2b38-riscv64-linux-gnu.tar.gz
c33f78cbf09ff0d71bae8a971030fac0a7fcf8e8ae745b7ae35ec8ef0979105b guix-build-1513727e2b38/output/x86_64-apple-darwin/SHA256SUMS.part
6bc78aa850bfe906ae6593e6e44b9d1d95b0977ff9dd227fd355f938b75cdd64 guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.dmg
6066fc635615cf9e918c0ec8579588683d5f9b2a0f14d57a4d2576f199746b9a guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.tar.gz
c43582f8ecef39f049cbba11c4e646e011ac3cff4a59582435bb8733b30b12f0 guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx64.tar.gz
04da85b5eeeb4549f1d74902596853ace814d704fac21ee963d737142f5cee7d guix-build-1513727e2b38/output/x86_64-linux-gnu/SHA256SUMS.part
53274875268d4b18b36c487e3410961381d1960772c5def082bf3048659bc899 guix-build-1513727e2b38/output/x86_64-linux-gnu/bitcoin-1513727e2b38-x86_64-linux-gnu-debug.tar.gz
8e93f32641da9f574d228429dc8133bccb9b3a499c0654ea81148a6ca2a4124d guix-build-1513727e2b38/output/x86_64-linux-gnu/bitcoin-1513727e2b38-x86_64-linux-gnu.tar.gz
e911fc37258f7a26976fe0a66f0af69bf89ed95e71064cdbd3e2615d18e13d8c guix-build-1513727e2b38/output/x86_64-w64-mingw32/SHA256SUMS.part
e1f9ce7c661e97d69f9f5518071cf70fd4cc75c186941fed9ba4678ad8a9ed22 guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win-unsigned.tar.gz
ddbc59f27da63b2e2a65b1b323bcda604570c63e5886692808d0bda455c97ce1 guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64-debug.zip
53e2fd55381470496fe800854c03a03bbf2189bd8e0ab5617942281c9df1ef4f guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64-setup-unsigned.exe
79519d66034fecd41886f5ec4caae433fd7d3d5c182d068fc45ef9260ef2bdf7 guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64.zip| @@ -543,6 +541,9 @@ ds.close() | |||
|
|
|||
| # ------------------------------------------------ | |||
|
|
|||
| if platform.system() == "Darwin": | |||
| subprocess.check_call(f"codesign --deep --force --sign - {target}", shell=True) | |||
There was a problem hiding this comment.
For anyone else's reference, passing - to --sign invokes ad-hoc signing, which is more limited in it's capabilities, but sufficient for locally running/testing binaries.
If identity is the single letter "-" (dash), ad-hoc signing is performed. Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. Significant restrictions apply to the use of ad-hoc signed code; consult documentation before using this.
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Feb 23, 2022
…ith system frameworks 1513727 build, qt: (Re-)sign package (Hennadii Stepanov) c26a0a5 build, qt: Align frameworks with macOS codesign tool requirements (Hennadii Stepanov) Pull request description: Fixes bitcoin#22403 This PR follows Apple [docs](https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-universal-apps-release-notes): > - New in macOS 11 on Macs with Apple silicon, and starting in macOS Big Sur 11 beta 6, the operating system enforces that any executable must be signed before it’s allowed to run. There isn’t a specific identity requirement for this signature: a simple ad-hoc signature is sufficient... > - ... If you use a custom workflow involving tools that modify a binary after linking (e.g. `strip` or `install_name_tool`) you might need to manually call `codesign` as an additional build phase to properly ad-hoc sign your binary. These new signatures are not bound to the specific machine that was used to build the executable, they can be verified on any other system and will be sufficient to comply with the new default code signing requirement on Macs with Apple silicon... When building with system Qt frameworks (i.e., without depends), a new string has been added to the `make deploy` log on M1-based macOS: ``` % make deploy ... + Generating .DS_Store + dist/Bitcoin-Qt.app: replacing existing signature + Preparing .dmg disk image + ... ``` This PR does not change build system behavior: - when building with depends - on Intel-based macOS ACKs for top commit: jarolrod: ACK 1513727 fanquake: ACK 1513727 - although didn't test on M1 hardware. Given the forced signing is scoped to only occur when running the deploy script on macOS, this doesn't interfere with our release signing. Tree-SHA512: 3aa778fdd6ddb54f029f632f2fe52c2ae3bb197ba564cb776493aa5c3a655bd51d10ccbe6c007372d717e9b01fc4193dd5c29ea0bc7e069dcae7e991ae259f0c
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #22403
This PR follows Apple docs:
When building with system Qt frameworks (i.e., without depends), a new string has been added to the
make deploylog on M1-based macOS:This PR does not change build system behavior: