From 812fc07a1063eefb12e4ff2cbb66fdba4fb4ce51 Mon Sep 17 00:00:00 2001 From: Patrik Teivonen Date: Fri, 24 Mar 2023 15:56:17 +0200 Subject: sign_installer: Adjust what counts as signable macOS payload content Remove unreliable file suffix checks, For example, ".so" files can contain non-native code, so they don't have to be always signed. Non-Mach-O executables and libraries seem to be treated as other data by macOS code signing and notarization systems so we should ignore those. Change-Id: Ib203a25ab7fd321e182033f4eb5e97b0656dddbd Reviewed-by: Antti Kokko --- packaging-tools/sign_installer.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'packaging-tools') diff --git a/packaging-tools/sign_installer.py b/packaging-tools/sign_installer.py index c41493b36..c70205bff 100755 --- a/packaging-tools/sign_installer.py +++ b/packaging-tools/sign_installer.py @@ -65,9 +65,9 @@ def _is_app_bundle(path: Path) -> bool: return path.joinpath("Contents", "Info.plist").exists() -def _is_mach_o_executable(path: Path) -> bool: +def _is_mach_o_file(path: Path) -> bool: """ - Determine whether a file is a Mach-O executable + Determine whether a file is a Mach-O image containing native code Args: path: A file system path to a file @@ -132,11 +132,8 @@ def _find_signable_content(pkg_dir: Path) -> Tuple[List[Path], List[Path]]: if path.suffix in (".pkg", ".dmg"): sign_list.append(path) staple_list.append(path) - # Known suffixes for libs, modules, ... - elif path.suffix in (".dylib", ".so", ".bundle"): - sign_list.append(path) - # Mach-O files by header, exec bit - elif os.access(path, os.X_OK) and _is_mach_o_executable(path): + # Mach-O images (executables, libraries, modules) + if _is_mach_o_file(path): sign_list.append(path) return sign_list, staple_list -- cgit v1.2.3