The problem is that Apple’s codesign(_allocate) apparently rounds the “vmsize” attribute on the __LINKEDIT section to a multiple of 0x2000 on x86_64 rather than 0x1000 (as their published source code does). This divergence means that the binary signed by codesign is slightly different from the one recreated by our reattach-sig-to-gitian-output process, and the signature being invalid.
This fixes it by patching our codesign_allocate source code to also use 0x2000. In tests, this appears to result in matching binaries.
sipa marked this as a draft
on Dec 13, 2020
sipa force-pushed
on Dec 13, 2020
sipa force-pushed
on Dec 13, 2020
DrahtBot added the label
Build system
on Dec 13, 2020
Add patch to make codesign_allocate compatible with Apple'sa4118c6e20
sipa force-pushed
on Dec 13, 2020
achow101
commented at 1:33 am on December 14, 2020:
member
Tried this with a self signed certificate. Did not work and vmsize was still a multiple of 0x1000
Apparently my gitian is doing something incorrectly. Running the apply locally works as expected and the correct binary is produced.
jonasschnelli
commented at 7:44 am on December 14, 2020:
contributor
Tested ACKa4118c6e200e02e7560f8bc213697aa2909d95b1 - removed the osx cache, built commit a4118c6e200e02e7560f8bc213697aa2909d95b1 for osx in gitian (dependency where built, patch was applied), signed on my signing mac (detach-sig-create), ran gitian osx signer with the produces signature and the a4118c6e200e02e7560f8bc213697aa2909d95b1 build (detach-sig-apply), signature then was successful verified on my Mac (codesign -v /Volumes/Bitcoin-Core/Bitcoin-Qt.app)
MarcoFalke added the label
Needs gitian build
on Dec 14, 2020
DrahtBot
commented at 5:43 am on December 15, 2020:
member
DrahtBot removed the label
Needs gitian build
on Dec 15, 2020
fanquake
commented at 1:22 pm on December 16, 2020:
member
While this patch looks simple, it feels like black magic (at least without the PR description), so I currently prefer #20638. Also given this is patching libstuff, the change ends up in all of the tools, rather than being targeted to codesign* in some way.
MarcoFalke marked this as ready for review
on Dec 17, 2020
MarcoFalke
commented at 7:47 pm on December 17, 2020:
member
sipa
commented at 7:50 pm on December 17, 2020:
member
Updated PR description.
@fanquake It’s easy to trace which functions in cctools call get_segalign_from_flag (the only function that accesses the modified field): it’s codesign_allocate, lipo, segedit, and bitcode_strip. I believe we only use the former.
jonasschnelli added the label
Needs backport (0.21)
on Dec 17, 2020
jonasschnelli added the label
Needs backport (0.20)
on Dec 17, 2020
laanwj merged this
on Dec 17, 2020
laanwj closed this
on Dec 17, 2020
MarcoFalke referenced this in commit
35a10e4ebc
on Dec 17, 2020
sidhujag referenced this in commit
646c6a8bad
on Dec 17, 2020
MarcoFalke added the label
Needs backport (0.19)
on Dec 18, 2020
fanquake removed the label
Needs backport (0.21)
on Dec 21, 2020
fanquake
commented at 3:52 am on December 21, 2020:
member
This is a metadata mirror of the GitHub repository
bitcoin/bitcoin.
This site is not affiliated with GitHub.
Content is generated from a GitHub metadata backup.
generated: 2024-09-27 22:12 UTC
This site is hosted by @0xB10C More mirrored repositories can be found on mirror.b10c.me