Code signing issues with macports-gcc48 compiled binaries

Nicolas Hatier nicolas.hatier at niversoft.com
Mon Jul 1 14:06:24 PDT 2013 

Found out I can generate a binary without the LC_VERSION_MIN_MACOSX load 
command command with
gcc -no_version_load_command a.cpp

I also found out codesign_allocate from the IOS SDK works too even if 
I'm not compiling for IOS at all:
 > export 
CODESIGN_ALLOCATE=/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate 

 > codesign -s "identity" --keychain my.keychain a.out

I'm not sure yet which one is the best. I still target OSX 10.5 and use 
the -mmacosx-version-min flag during compilation, so I guess I'm better 
not touching the LC_VERSION_MIN_MACOSX load command.

Thanks Rainer for pointing me in the right direction.


I'm not really surprised that the default codesign_allocate available in 
OSX 10.6 is unable to understand binaries produced by gcc 4.8.

But the fact codesign_allocate from macports doesn't plugs well - no 
error, just doesn't do what its told to - still slightly puzzles me.

NH

On 2013-06-30 14:25, Nicolas Hatier wrote:
> Hello.
>
> I have troubles to codesign a binary compiled with gcc-mp-48
>
> Previously I was using XCode's gcc (4.2.1) and everything was ok.
>
> a.cpp:
> int main() { return 1; }
>
> Compiled with gcc 4.2.1:
>
>     > /usr/bin/gcc a.cpp
>     > security unlock-keychain ~/my.keychain
>     password to unlock /Users/me/my.keychain: ********
>     > codesign -f -s "identity" --keychain ~/my.keychain a.out
>     > codesign -v -v a.out
>     a.out: valid on disk
>     a.out: satisfies its Designated Requirement
>     (success)
>
> Compiled with gcc 4.8 (macports)
>
>     > /opt/local/bin/gcc-mp-4.8 a.cpp
>     > security unlock-keychain ~/my.keychain
>     password to unlock /Users/me/my.keychain: ********
>     > codesign -f -s "identity" --keychain ~/my.keychain a.out
>     codesign_allocate: object: /Users/me/a.out malformed object
>     (unknown load command 9)
>     a.out: object file format invalid or unsuitable
>     (failure)
>
> I then found out there was a codesign_allocate in macports bin, so I 
> tried:
>
>     > export CODESIGN_ALLOCATE=/opt/local/bin/codesign_allocate
>     > security unlock-keychain ~/my.keychain
>     password to unlock /Users/me/my.keychain: ********
>     > codesign -f -s "identity" --keychain ~/my.keychain a.out
>     a.out: code object is not signed
>
>
> Uh? When I specify macports codesign_allocate, codesign doesn't even 
> try to sign, it just verifies the (unavailable) signature of my binary.
>
> However, detached signature works, with or without macports 
> codesign_allocate:
>
>     > codesign -f -s "identity" --keychain ~/my.keychain a.out
>     --detached a.out.signature
>     > codesign -v -v a.out --detached a.out.signature
>     a.out: valid on disk
>     a.out: satisfies its Designated Requirement
>
> So codesign and codesign_allocate works with gcc48-compiled binaries, 
> but for some reason fails to understand that it should embed the 
> signature in the binary.
>
> Anybody have a clue about that? Or maybe a way to embed the signature 
> after it has been created detached?
>
> Note: My personal Mac/OSX knowledge is basic to medium, and I need to 
> use only command-line tools to create working, ideally signed, 
> binaries. The build process is highly automated on several platforms.
>
> Regards
> NH
>
>
> _______________________________________________
> macports-users mailing list
> macports-users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20130701/c3009708/attachment.html>

More information about the macports-users mailing list