Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deno compile binaries cannot be code signed (macOS, Windows) #11154

Closed
AlexanderOMara opened this issue Jun 27, 2021 · 4 comments · Fixed by #24604
Closed

deno compile binaries cannot be code signed (macOS, Windows) #11154

AlexanderOMara opened this issue Jun 27, 2021 · 4 comments · Fixed by #24604
Labels
compile related to the `deno compile` feature feat new feature (which has been agreed to/accepted)

Comments

@AlexanderOMara
Copy link

AlexanderOMara commented Jun 27, 2021
edited
Loading

It looks like the current deno compile implementation simply appends data to the deno binary (like a self-extracting ZIP). Trouble is, since this data isn't integrated as part of the actual executable data, it isn't possible to sign the resulting binary.

For example, on macOS you can't sign the binary:

$ deno compile https://deno.land/std@0.79.0/examples/cat.ts
Check https://deno.land/std@0.79.0/examples/cat.ts
Bundle https://deno.land/std@0.79.0/examples/cat.ts
Compile https://deno.land/std@0.79.0/examples/cat.ts
Emit cat
$ sudo codesign -s- cat
cat: main executable failed strict validation

Or on Windows signing appears to work, but the signature is appended to become the last thing in the file, so the binary acts like a plain old deno binary again:

PS Microsoft.PowerShell.Core\FileSystem::\\vmware-host\Shared Folders\deno> Set-AuthenticodeSignature .\cat.exe -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)


    Directory: \\vmware-host\Shared Folders\deno


SignerCertificate                         Status                         Path
-----------------                         ------                         ----
1920E80F7BCC0A083ED26CA2CD2A7CFB5B9FA5C6  Valid                          cat.exe


PS Microsoft.PowerShell.Core\FileSystem::\\vmware-host\Shared Folders\deno> .\cat
Deno 1.11.2
exit using ctrl+d or close()
>

Note: Singing the deno binary first also wouldn't help, since modifying the file (appending data) would invalidate the signature by necessity.

In order to be able to sign the binary on macOS, the data would have to be added to the executable as something it recognized, such as a new segment.

I did some research on what it would take to do this on macOS recently, and it's not too hard with a little know-how. All you really have to do is insert a new segment, shift the __LINKEDIT load command down, adjust a few other commands that point to it, and read the segment at run-time.

I've seen similar things done on Windows too, so I'm fairly certain a similar solution for Windows is possible. Putting it in the EXE's resources might also be an option (resource editing would also enable #8912).
@kitsonk
Copy link
Contributor

kitsonk commented Jun 27, 2021

Ref #575

@kitsonk kitsonk added compile related to the `deno compile` feature feat new feature (which has been agreed to/accepted) labels Jun 27, 2021
@oesgalha oesgalha mentioned this issue Aug 20, 2021
Open
@paambaati paambaati mentioned this issue Nov 12, 2021
Open
3 tasks
@JohannesRudolph JohannesRudolph mentioned this issue Nov 29, 2021
Open
@jaredkrinke jaredkrinke mentioned this issue Nov 30, 2021
Closed
@vectronic vectronic mentioned this issue Dec 1, 2021
Open
@jevonearth jevonearth mentioned this issue Jan 25, 2022
Closed
6 tasks
@bnoordhuis bnoordhuis mentioned this issue Jun 15, 2022
Closed
@cowboyd cowboyd mentioned this issue Sep 22, 2022
Closed
@jhheider jhheider mentioned this issue Apr 4, 2023
Merged
@zefhemel zefhemel mentioned this issue May 7, 2023
Open
7 tasks
@mxcl
Copy link

mxcl commented May 15, 2023
edited
Loading

Notably this is preventing us from bundling pkgx with our .app since it means the notorization fails.

Additionally this prevented us from adding pkgx to Homebrew since their automation requires code signing for M1/M2 chips.

jdoleary added a commit to jdoleary/Eden that referenced this issue Sep 18, 2023
@jdoleary
chore: Add install.sh
a12c76b 
to be distributed so that mac users
can run eden without gatekeeper blocking it.
(Signing does not yet work for Deno executables)
denoland/deno#11154
denoland/deno#17753
denoland/deno#986
@chudnyi
Copy link

chudnyi commented Mar 24, 2024

Notably this is preventing us from bundling tea/cli with tea/gui (our .app) since it means the notorization fails.

Additionally this prevented us from adding tea/cli to Homebrew since their automation requires code signing for M1/M2 chips.

How did you get the "pkgx" binary that macOS skips and allows to run if signing via codesign crashes?

@mxcl
Copy link

mxcl commented May 8, 2024

We sign with || true (lol) which leaves a somewhat signed binary. The main trick we are using is that installing things via curl bypasses gatekeeper.

@littledivy littledivy mentioned this issue Jul 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compile related to the `deno compile` feature feat new feature (which has been agreed to/accepted)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: codesign for deno compile binaries littledivy/deno
4 participants
@mxcl @chudnyi @kitsonk @AlexanderOMara