Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't sign Teleport binary for Mac due to malformed Mach-O binary #3158

Closed
webvictim opened this issue Nov 14, 2019 · 7 comments · Fixed by #5935
Closed

Can't sign Teleport binary for Mac due to malformed Mach-O binary #3158

webvictim opened this issue Nov 14, 2019 · 7 comments · Fixed by #5935
Assignees
@webvictim
Labels
mac release-engineering
Milestone
6.1

Comments

@webvictim
Copy link
Contributor

webvictim commented Nov 14, 2019
edited
Loading

Signing the tsh and tctl binaries works fine, but attempts to sign the teleport binary on MacOS are failing with the error main executable failed strict validation

Apparently this error is raised when the executable being signed does not conform to Apple's strict Mach-O layout rules (vercel/pkg#128) - I highly suspect that this is because of the way we zip the web assets and tack them onto the end of the binary as part of the build process. We had a similar sort of problem when initially building RPMs - when you run rpmbuild, the default config tries to strip symbols from the binary. In our case, it ended up stripping the web assets because they just look like junk stuck on the end of the file.

Apple will only notarize a package which has a signed payload, so for now we can't sign a full teleport archive (although the client only tsh package I'm working on should be fine)

One idea would be to use something like https://github.com/shurcooL/vfsgen to build the assets directly into the binary rather than the current method.
@webvictim
Copy link
Contributor Author

cc @benarent

@webvictim
Copy link
Contributor Author

Related to #2979

@webvictim webvictim mentioned this issue Nov 14, 2019
Merged
@Zenithar
Copy link

It can be linked to this issue - golang/go#11887

@Zenithar
Copy link

PIE and Upxified teleport binary can be signed successfully.

@webvictim webvictim added the mac label Nov 21, 2019
@russjones
Copy link
Contributor

golang/go#35950

@webvictim webvictim mentioned this issue Jan 8, 2020
Closed
@webvictim webvictim mentioned this issue Mar 16, 2020
Closed
@russjones russjones added this to the 5.0 Codename TBD milestone Jul 2, 2020
@webvictim webvictim mentioned this issue Dec 7, 2020
Closed
@webvictim
Copy link
Contributor Author

Waiting for the release of Go 1.16 which should have support for packaging the webassets inside the binary.

@awly
Copy link
Contributor

awly commented Feb 16, 2021

What a coincidence https://blog.golang.org/go1.16 :)

@webvictim webvictim modified the milestones: Release Engineering, 6.1 Feb 17, 2021
@webvictim webvictim mentioned this issue Feb 17, 2021
Closed
@webvictim webvictim removed their assignment Feb 17, 2021
This was referenced Feb 17, 2021
Closed
Closed
@a-palchikov a-palchikov mentioned this issue Mar 10, 2021
Merged
@webvictim webvictim linked a pull request Mar 24, 2021 that will close this issue
Embed webassets natively into teleport instead of attaching to the binary #5935
Merged
@benarent benarent mentioned this issue May 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@webvictim webvictim

Labels
mac release-engineering
Projects
None yet
Milestone
6.1
Development

Successfully merging a pull request may close this issue.

Embed webassets natively into teleport instead of attaching to the binary gravitational/teleport
4 participants
@Zenithar @webvictim @awly @russjones