-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
codesign on ARM requires CLT or Xcode to sign binaries #9525
Comments
As for the reason why this happened: the user reports that installing the 11.1.0 RC uninstalled their previously installed CLT 😢 |
As far as I remember, enrolling in betas that don't have a CLT version available will remove the CLT. Just like installing a normal update will usually have an update for the CLT as well. All brew installs need a CLT or XCode though, so I think aborting with a failure is the friendliest thing to do. |
Funny thing: The CLT is downloadable from the Developer Website, it's just not in their software repository. |
Not too surprising: it's still only RC, and not yet fully supported. |
@fxcoudert, so as we know, HB installs CLT on initial install. So, this will only affect users who are savvy enough to beta test macOS/RCs, (where the CLT might be removed). I don't see this as a huge issue, don't you agree? In all circumstances home-brew would have installed CLT on any stable macOS release prior to use. |
Just to remind you guys: "RC"s are what were "GM"s before - basically the release version, only a few days earlier. So it's not so weird for people to upgrade to an RC version if they don't want to wait hours for the download to complete on release day. |
I think "basically" and "earlier" are keywords here: there are still some features that distinguish it from the released version, and that makes it not fully supported.
I agree. But the price you pay for avoiding (among other things) the download wait on release day is that you get a piece of software that doesn't have the same guarantees as to the released version. One of those is the availability of CLT via |
And they aren't supported by brew as The developer previews of macOS 12 will also be like the release version, just a few months earlier and with bugs that might still be fixed later. |
As the installer installs the CLT anyway, and it's already listed as a requirement in the installation instructions, it seems reasonable to assume everyone will always have it and thus always do the (I have also been hit by this when upgrading to RCs, feels like an issue to raise with Apple via https://feedbackassistant.apple.com/ rather than brew though) |
For @woodruffw or whoever is willing to implement this in ruby: Go has made its own implementation, see https://github.com/golang/go/blob/master/src/cmd/internal/codesign/codesign.go The small details of the implementation are discussed at length in the two linked issues: golang/go#42684 and golang/go#38485 |
Upgrading to 11.1 gets rid of CLT. |
It doesn't remove the CLT, you just need to select it again in Xcode prefs (or execute a path switch). ![Uploading 102193907...] |
Xcode prefs? I’m afraid I can’t do that since I don’t have Xcode installed... But I’ll have a look to see if Homebrew just misplaced the CLT. |
@carlocab, still don't need to reinstall.
My point is, installed 11.1 (or other system updates), doesn't delete the CLT. |
@johnalanwoods it may depend on the circumstances, because on our CI machines, the update to 11.1 definitely removed the CLT entirely. |
Yep, it definitely removed CLT in my case. When CLT is installed, this happens:
Predictably, that is not the error message I saw when I ran it after upgrading to 11.1. |
codesign
to provide an ad hoc signature to the MachO files we pour from bottles, after rewriting them (binaries and shared libraries)codesign
is present at/usr/bin/codesign
on base macOS (without Xcode or CLT)codesign_allocate
to be installed, which is called bycodesign
, and is part of Xcode or CLT.This leads to very bad user experience. Moreover, it also happens with brew-downloaded git bottles for ARM (now that we have them): leading to horrible user experience. #7857 (comment)
As a long-term solution, we could imagine having ruby-macho providing a pure-ruby signing mechanism. That would be ideal, but the first implementation had problems. poking @woodruffw on that
As a short-term solution, we need to:
The text was updated successfully, but these errors were encountered: