GNU bug report logs - #43878
emacs fails to build on recent macOS 11.0 ARM betas

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43878 in the body.
You can then email your comments to 43878 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Itai Seggev <is <at> cs.hmc.edu>
To: bug-gnu-emacs <at> gnu.org
Subject: emacs fails to build on recent macOS 11.0 ARM betas
Date: Fri, 9 Oct 2020 01:24:45 -0500

In the last few betas of macOS on ARM, Apple has start enforcing a requirement
that all code be properly signed.  The linker automatically adds an "ad-hoc"
signature.  (At least for now, this is not required on x86_64, though I imagine
it is only a matter of time given Apple's public statements on code signing.)

The emacs build fails when the temacs is called to compile the Lisp files.
I've tracked this down to the call to make-fingerprint on temacs.tmp.  The call
modifies the Macho-O temacs.tmp after it was linked and signed, invaldinating
the code signature.  When it is launched, it is killed with a SIGABORT by the
OS due to the invalid signature.

I've come up with a couple of workarounds in my local build.  First, if I
modifiy make-fingerprint to not store the result in the Mach-O, then everything
seems to build fine.  It's not entirely clear to me what the purpose of this
modification of the Macho-O is, so I don't know if such a solution is
acceptable upstream.

If it is not, then the signature _must_ be repaired after make-fingerprint is
run.  This can be done quite simply, using 'codesign -s - -f temacs.tmp', which
creates a new "ad-hoc" signature for the executable.

If necessary, I am happy to test a patch / branch on my machine.

--
Itai

In 1997 a group of programmers started writing a desktop environment to fix a
travesty they didn't create.  Their program promptly found its way onto un*x
systems everywhere. Today, still opposed by a software monopolist, they survive
as soldiers of fortune.  If you share their vision, if you know you can help,
and if you can connect to internet, maybe you can join... the K-Team.

Message #8 received at 43878 <at> debbugs.gnu.org (full text, mbox):

From: Daniel Martín <mardani29 <at> yahoo.es>
To: Itai Seggev <is <at> cs.hmc.edu>
Cc: 43878 <at> debbugs.gnu.org
Subject: Re: bug#43878: emacs fails to build on recent macOS 11.0 ARM betas
Date: Fri, 09 Oct 2020 22:57:41 +0200

Itai Seggev <is <at> cs.hmc.edu> writes:

> In the last few betas of macOS on ARM, Apple has start enforcing a requirement
> that all code be properly signed.  The linker automatically adds an "ad-hoc"
> signature.  (At least for now, this is not required on x86_64, though I imagine
> it is only a matter of time given Apple's public statements on code signing.)
>
> The emacs build fails when the temacs is called to compile the Lisp files.
> I've tracked this down to the call to make-fingerprint on temacs.tmp.  The call
> modifies the Macho-O temacs.tmp after it was linked and signed, invaldinating
> the code signature.  When it is launched, it is killed with a SIGABORT by the
> OS due to the invalid signature.
>
> I've come up with a couple of workarounds in my local build.  First, if I
> modifiy make-fingerprint to not store the result in the Mach-O, then everything
> seems to build fine.  It's not entirely clear to me what the purpose of this
> modification of the Macho-O is, so I don't know if such a solution is
> acceptable upstream.
>
> If it is not, then the signature _must_ be repaired after make-fingerprint is
> run.  This can be done quite simply, using 'codesign -s - -f temacs.tmp', which
> creates a new "ad-hoc" signature for the executable.
>
> If necessary, I am happy to test a patch / branch on my machine.
>

The approach to resign the executable after temacs invalidates the
digital signature seems like a good approach to me. It's also
the recommended approach in Apple's release notes:
https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11-universal-apps-beta-release-notes

Note that we may want to preserve some metadata from the original
digital signature and resign the Mach-O file with something like:

codesign -s - —preserve-metadata=identifier,entitlements,flags,runtime -f temacs.tmp

But I'm not sure if it'd make a significant difference.

Message #11 received at 43878 <at> debbugs.gnu.org (full text, mbox):

From: Itai Seggev <is+apple <at> cs.hmc.edu>
To: 43878 <at> debbugs.gnu.org
Subject: patch for 43878
Date: Mon, 16 Nov 2020 14:53:11 -0600

Please find attached a patch for this bug.  I'm neither an autoconf nor emacs
build system expert, so it might be a bit naive, but it works for me.  (Also, I
hope attachments survive.  If they don't, I can send this in the body.)

--
Itai

In 1997 a group of programmers started writing a desktop environment to fix a
travesty they didn't create.  Their program promptly found its way onto un*x
systems everywhere. Today, still opposed by a software monopolist, they survive
as soldiers of fortune.  If you share their vision, if you know you can help,
and if you can connect to internet, maybe you can join... the K-Team.

Message #14 received at 43878 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Itai Seggev <is+apple <at> cs.hmc.edu>
Cc: 43878 <at> debbugs.gnu.org
Subject: Re: bug#43878: patch for 43878
Date: Mon, 16 Nov 2020 22:44:30 +0100

Itai Seggev <is+apple <at> cs.hmc.edu> writes:

> Please find attached a patch for this bug.  I'm neither an autoconf
> nor emacs build system expert, so it might be a bit naive, but it
> works for me.  (Also, I hope attachments survive.  If they don't, I
> can send this in the body.)

The attachments didn't survive, apparently.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Message #17 received at 43878 <at> debbugs.gnu.org (full text, mbox):

From: Itai Seggev <is+apple <at> cs.hmc.edu>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: 43878 <at> debbugs.gnu.org
Subject: Re: bug#43878: patch for 43878
Date: Tue, 17 Nov 2020 12:36:10 -0600

On Mon, Nov 16, 2020 at 10:44:30PM +0100, Lars Ingebrigtsen wrote:
> Itai Seggev <is+apple <at> cs.hmc.edu> writes:
> 
> > Please find attached a patch for this bug.  I'm neither an autoconf
> > nor emacs build system expert, so it might be a bit naive, but it
> > works for me.  (Also, I hope attachments survive.  If they don't, I
> > can send this in the body.)
> 
> The attachments didn't survive, apparently.

This time inlined:

diff --git a/src/Makefile.in b/src/Makefile.in
index c5fb2ea3ab..6b09125e06 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -653,6 +653,9 @@ temacs$(EXEEXT):
 	  $(ALLOBJS) $(LIBEGNU_ARCHIVE) $(W32_RES_LINK) $(LIBES)
 ifeq ($(HAVE_PDUMPER),yes)
 	$(AM_V_at)$(MAKE_PDUMPER_FINGERPRINT) $@.tmp
+ifeq ($(shell uname),Darwin)
+	codesign -s - -f $@.tmp
+endif
 endif
 	$(AM_V_at)mv $@.tmp $@
 	$(MKDIR_P) $(etc)


--
Itai

In 1997 a group of programmers started writing a desktop environment to fix a
travesty they didn't create.  Their program promptly found its way onto un*x
systems everywhere. Today, still opposed by a software monopolist, they survive
as soldiers of fortune.  If you share their vision, if you know you can help,
and if you can connect to internet, maybe you can join... the K-Team.

Message #20 received at 43878 <at> debbugs.gnu.org (full text, mbox):

From: Alan Third <alan <at> idiocy.org>
To: Itai Seggev <is+apple <at> cs.hmc.edu>
Cc: Lars Ingebrigtsen <larsi <at> gnus.org>, 43878 <at> debbugs.gnu.org
Subject: Re: bug#43878: patch for 43878
Date: Wed, 18 Nov 2020 23:34:15 +0000

On Tue, Nov 17, 2020 at 12:36:10PM -0600, Itai Seggev wrote:
> +ifeq ($(shell uname),Darwin)

Is $DARWIN_OS available in the Makefile?

-- 
Alan Third

Message #23 received at 43878 <at> debbugs.gnu.org (full text, mbox):

From: Itai Seggev <is+apple <at> cs.hmc.edu>
To: Alan Third <alan <at> idiocy.org>, Lars Ingebrigtsen <larsi <at> gnus.org>,
 43878 <at> debbugs.gnu.org
Subject: Re: bug#43878: patch for 43878
Date: Fri, 20 Nov 2020 14:19:09 -0600

On Wed, Nov 18, 2020 at 11:34:15PM +0000, Alan Third wrote:
> On Tue, Nov 17, 2020 at 12:36:10PM -0600, Itai Seggev wrote:
> > +ifeq ($(shell uname),Darwin)
> 
> Is $DARWIN_OS available in the Makefile?

Not as far as I can tell.  But here's a revised patch that is both more
targeted and only using autoconf variables:

diff --git a/src/Makefile.in b/src/Makefile.in
index c5fb2ea3ab..02d50bb7ca 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -336,6 +336,10 @@ DUMPING=
 CHECK_STRUCTS = @CHECK_STRUCTS@
 HAVE_PDUMPER = @HAVE_PDUMPER@
 
+## ARM Macs require that all code have a valid signature.  Since pump
+## invalidates the signature, we must re-sign to fix it.
+DO_CODESIGN=$(patsubst @configuration@,aarch64-apple-darwin%,yes)
+
 # 'make' verbosity.
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 
@@ -653,6 +657,9 @@ temacs$(EXEEXT):
 	  $(ALLOBJS) $(LIBEGNU_ARCHIVE) $(W32_RES_LINK) $(LIBES)
 ifeq ($(HAVE_PDUMPER),yes)
 	$(AM_V_at)$(MAKE_PDUMPER_FINGERPRINT) $@.tmp
+ifeq ($(DO_CODESIGN),yes)
+	codesign -s - -f $@.tmp
+endif
 endif
 	$(AM_V_at)mv $@.tmp $@
 	$(MKDIR_P) $(etc)


--
Itai

In 1997 a group of programmers started writing a desktop environment to fix a
travesty they didn't create.  Their program promptly found its way onto un*x
systems everywhere. Today, still opposed by a software monopolist, they survive
as soldiers of fortune.  If you share their vision, if you know you can help,
and if you can connect to internet, maybe you can join... the K-Team.

Message #28 received at 43878 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Itai Seggev <is+apple <at> cs.hmc.edu>
Cc: Alan Third <alan <at> idiocy.org>, 43878 <at> debbugs.gnu.org
Subject: Re: bug#43878: patch for 43878
Date: Tue, 24 Nov 2020 06:54:07 +0100

Itai Seggev <is+apple <at> cs.hmc.edu> writes:

> Not as far as I can tell.  But here's a revised patch that is both more
> targeted and only using autoconf variables:

I don't have an ARM Apple machine to test on (yet), but I guess the
patch looks reasonable, so I've applied it to the trunk, and we'll see
whether anybody complains.

I had to fix up the patch, though -- the syntax was wrong, and led to
codesigning on all platforms.  I did

DO_CODESIGN=$(patsubst aarch64-apple-darwin%,yes,@configuration@)

instead, which may or may not work (as I've got nothing to test on).

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Message #35 received at 43878 <at> debbugs.gnu.org (full text, mbox):

From: Itai Seggev <is+apple <at> cs.hmc.edu>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: Alan Third <alan <at> idiocy.org>, 43878 <at> debbugs.gnu.org
Subject: Re: bug#43878: patch for 43878
Date: Tue, 24 Nov 2020 02:25:11 -0600

Tested master.  Works on my ARM Mac.  Thanks!

On Tue, Nov 24, 2020 at 06:54:07AM +0100, Lars Ingebrigtsen wrote:
> Itai Seggev <is+apple <at> cs.hmc.edu> writes:
> 
> > Not as far as I can tell.  But here's a revised patch that is both more
> > targeted and only using autoconf variables:
> 
> I don't have an ARM Apple machine to test on (yet), but I guess the
> patch looks reasonable, so I've applied it to the trunk, and we'll see
> whether anybody complains.
> 
> I had to fix up the patch, though -- the syntax was wrong, and led to
> codesigning on all platforms.  I did
> 
> DO_CODESIGN=$(patsubst aarch64-apple-darwin%,yes,@configuration@)
> 
> instead, which may or may not work (as I've got nothing to test on).
> 
> -- 
> (domestic pets only, the antidote for overdose, milk.)
>    bloggy blog: http://lars.ingebrigtsen.no
--
Itai

In 1997 a group of programmers started writing a desktop environment to fix a
travesty they didn't create.  Their program promptly found its way onto un*x
systems everywhere. Today, still opposed by a software monopolist, they survive
as soldiers of fortune.  If you share their vision, if you know you can help,
and if you can connect to internet, maybe you can join... the K-Team.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.