Invalid code signature on libjulia.1.9.dylib

[fxcoudert]

I'm still trying to get Julia master to compile… this time I'm using the binary builder, to avoid trouble, but a Julia compiled and installed with:

make VERBOSE=1 prefix=/opt/julia-1.9.0-DEV-811e534c PYTHON=python3 MACOSX_VERSION_MIN=12 install

will crash when it is launched:

$ /opt/julia/bin/julia -v  
zsh: killed     /opt/julia/bin/julia -v

because

$ codesign -vvv /opt/julia/lib/libjulia.1.9.dylib 
/opt/julia/lib/libjulia.1.9.dylib: invalid signature (code or signature have been modified)
In architecture: arm64

The library in the build directory has correct signature:

$ codesign -vvv usr/lib/libjulia.1.9.dylib
usr/lib/libjulia.1.9.dylib: valid on disk
usr/lib/libjulia.1.9.dylib: satisfies its Designated Requirement

but it gets modified during install:

# Next, overwrite relative path to libjulia-internal in our loader if $(LOADER_BUILD_DEP_LIBS) != $(LOADER_INSTALL_DEP_LIBS)
/private/tmp/julia/usr/tools/stringreplace $(strings -t x - /opt/julia-1.9.0-DEV-811e534c/lib/libjulia.1.9.dylib | grep $(python3 /private/tmp/julia/contrib/relative_path.py /private/tmp/julia/usr/lib /private/tmp/julia/usr/lib/libgcc_s.2.dylib):$(python3 /private/tmp/julia/contrib/relative_path.py /private/tmp/julia/usr/lib /private/tmp/julia/usr/lib/libopenlibm.dylib):@$(python3 /private/tmp/julia/contrib/relative_path.py /private/tmp/julia/usr/lib /private/tmp/julia/usr/lib/libjulia-internal.1.dylib):@$(python3 /private/tmp/julia/contrib/relative_path.py /private/tmp/julia/usr/lib /private/tmp/julia/usr/lib/libjulia-codegen.1.dylib):$ | awk '{print $1;}') $(python3 /private/tmp/julia/contrib/relative_path.py /opt/julia-1.9.0-DEV-811e534c/lib /opt/julia-1.9.0-DEV-811e534c/lib/julia/libgcc_s.2.dylib):$(python3 /private/tmp/julia/contrib/relative_path.py /opt/julia-1.9.0-DEV-811e534c/lib /opt/julia-1.9.0-DEV-811e534c/lib/julia/libopenlibm.dylib):@$(python3 /private/tmp/julia/contrib/relative_path.py /opt/julia-1.9.0-DEV-811e534c/lib /opt/julia-1.9.0-DEV-811e534c/lib/julia/libjulia-internal.1.dylib):@$(python3 /private/tmp/julia/contrib/relative_path.py /opt/julia-1.9.0-DEV-811e534c/lib /opt/julia-1.9.0-DEV-811e534c/lib/julia/libjulia-codegen.1.dylib): 255 "/opt/julia-1.9.0-DEV-811e534c/lib/libjulia.1.9.dylib"

which invalidates the signature.

[fxcoudert]

If I re-sign the faulty library (ad hoc signature), things work:

$ codesign -s -  /opt/julia/lib/libjulia.1.9.dylib
$ codesign -vvv /opt/julia/lib/libjulia.1.9.dylib 
/opt/julia/lib/libjulia.1.9.dylib: valid on disk
/opt/julia/lib/libjulia.1.9.dylib: satisfies its Designated Requirement
$ /opt/julia/bin/julia 
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.9.0-DEV.150 (2022-03-07)
 _/ |\__'_|_|_|\__'_|  |  Commit 811e534ca7 (0 days old master)
|__/                   |

julia> 1.1 + 2
3.1

[gbaraldi]

Normal julia builds don't do explicit codesigning steps, I guess clang signs it or something when building the dylib. I don't know why it loses it during install however. Local codesigning is a bit of a mistery to me 😄 .

[fxcoudert]

Yes, clang codesigns the binaries it produces, as do all compilers on recent macOS. Regarding:

I don't know why it loses it during install however

It doesn't lose the signature, but it becomes invalid after the library binary is modified by stringreplace: the signature is linked to the content, so you can't randomly modify a signed binary without invalidating the signature.

Either the binary must be modified by tools that understand signatures, and re-sign. Or it must be manually re-signed in the makefile, using codesign -s - libtoto.dylib

---

It matters because unsigned binaries are not allowed to run on recent macOS versions (whether Intel or ARM).

[gbaraldi]

Interesting that nobody reported this yet, I guess people don't do make install that often.

[giordano]

In #44510 I'm using ldid to fix the signature of libjulia, which is the same tool we use in BinaryBuilder.

[fxcoudert]

This bug still exists and was not fixed on the release 1.8.0 version, on macOS 12 for ARM:

• download the 1.8.0 release tarball
• run make prefix=/opt/julia-1.8.0 VERBOSE=1 PYTHON=python3 MACOSX_VERSION_MIN=12 install

because:

$ /opt/julia-1.8.0/bin/julia                                                         
zsh: killed     /opt/julia-1.8.0/bin/julia
$ codesign -vvv /opt/julia-1.8.0/lib/libjulia.1.8.dylib
/opt/julia-1.8.0/lib/libjulia.1.8.dylib: invalid signature (code or signature have been modified)
In architecture: arm64

Could you reopen the bug, and backport the fix to the 1.8 branch please?

[fxcoudert]

Fix backported now.