Cannot execute binary file on Apple M1

[alucryd]

Hi there, I can't seem to get working binaries for Apple M1, already had a working setup for x86_64 that I basically cloned for arm64.

I'm generating a toolchain using the git HEAD with a 11.3 SDK targeting 11.0 minimum, I'm using the arm64-* set of files but the resulting binaries won't run on an M1 running MacOS 12.4. Do I need to use a higher SDK and minimum OS version or am I missing something?

Host is Arch Linux running LLVM 14.0.6 if that matters.

[etrinh]

Have you compiled https://github.com/thefloweringash/sigtool as well which is required to sign arm binary.
You will need also to compile latest https://github.com/tpoechtrager/cctools-port with pull request tpoechtrager/cctools-port#114 merged to use it when building arm.
It is still preliminar, has bugs (tpoechtrager/cctools-port#122) but I get it to work with some works...

[alucryd]

Thanks for the reply.

I haven't, reading other issues I had assumed osxcross already signed the binaries, there was one particular issue that said stripping the binaries destroyed the embedded signature, implying osxcross did sign them out of the box.

I guess I have more questions then:

• How do I integrate the latest cctools, it seems to be built by osxcross already, do I modify osxcross to use the latest or do I build it on the side?
• The signing must be done manually then, it's not integrated at all in osxcross yet?

[HinTak]

Your association between "stripping binaries destroy signature" and "osxcross integrates binary signing" is flawed.

However you build your binary - even if you do it natively on mac - stripping binary destroy signature: signature is not essential to the functioning of a binary (you can configure your system to not check signatures and run arbitrary unsigned binaries) so is removed by stripping, and a signature contains checksums of the whole binary - including debug regions etc - so stripping also invalidates any such checksums. To have a signed small sized binary without debug info, you should strip it before signing. The building part can be done natively on mac or via osxcross, and the stripping part can also be done on either too.

The last time I checked, signing (or maybe notarization, which depends on signing) must be done natively...

[mrdudz]

Am Freitag, 12. August 2022, 13:08:37 CEST schrieb HinTak:

Your association between "stripping binaries destroy signature" and "osxcross integrates binary signing" is flawed. However you build your binary - even if you do it natively on mac - stripping binary destroy signature: signature is not essential to the functioning of a binary (you can configure your system to not check signatures and run arbitrary unsigned binaries) so is removed by stripping, and a signature contains checksums of the whole binary - including debug regions etc - so stripping also invalidates any such checksums. To have a signed small sized binary without debug info, you should strip it before signing. The building part can be done natively on mac or via osxcross, and the stripping part can also be done on either too. The last time I checked, signing (or maybe notarization, which depends on signing) must be done natively...

Check this: https://gregoryszorc.com/blog/2022/08/08/achieving-a-completely-open-source-implementation-of-apple-code-signing-and-notarization/

…

-- http://hitmen.eu http://ar.pokefinder.org http://vice-emu.sourceforge.net http://magicdisk.untergrund.net Imagination is more important than knowledge. <Albert Einstein>

[etrinh]

Extract cctools content in osxcross/temp/cctools-port
Rebuild osxcross
Compile and install sigtool
It will be transparently called by osxcross

[HinTak]

Oh, thanks for the url!

[alucryd]

Finally had time to go back to this one. Thanks everyone for the answers. I tried almost everything, here are my findings:

• Standalone codesign doesn't work:

./codesign -f -s - ~/Buildbot/armv8_osx/ffmpeg-armv8_osx/staging/bin/ffmpeg
terminate called after throwing an instance of 'std::runtime_error'
  what():  Failed to spawn codesign_allocate: No such file or directory

• Standalone sigtool doesn't work for everything, looks like stripping in particular hurts it:

sigtool -f bin/ffdetect inject
terminate called after throwing an instance of 'std::runtime_error'
  what():  allocated size too small: need 2205 but have 2135

• rcodesign appears to work every time, but it can't verify its own signature:

~/.cargo/bin/rcodesign verify ~/Buildbot/armv8_osx/ffmpeg-armv8_osx/staging/bin/ffprobe
no cryptographic signature present
Error: problems reported during verification

• building osxcross with the git HEAD of cctools and setting CODESIGN_DEBUG=1 shows the same error as standalone codesign:

[cctools-port]: generating fake signature for 'ffmpeg'
[cctools-port]: /home/embybuilder/Buildbot/armv8_osx/toolchain/bin/codesign -s - -f ffmpeg
terminate called after throwing an instance of 'std::runtime_error'
  what():  Failed to spawn codesign_allocate: No such file or directory

I understand codesign_allocate comes from apple's cctools, is it not part of cctools-port then? Does that mean we can't use it on a Linux machine?

Note that I have yet to try any of the signed binaries on an M1, that's the next step.

Edit: I guess the rcodesign error is normal, I understand ad-hoc signing doesn't have any cryptographic proof.

[gedw99]

Thanks @alucryd

you signing ffmpeg with that rust tool and it’s working?

i Hit exactly the same problem and was baffled about the best way forward. I will try it here

I assume I need to buy an apple developer license for 99 euros still ?

[alucryd]

@gedw99 Yeah, rcodesign is working fine for us, haven't had to purchase anything, our builds are running on M1.

[gedw99]

Wow @alucryd how did you do that ? Apple makes it harder and harder

https://gregoryszorc.com/docs/apple-codesign/0.17.0/apple_codesign_getting_started.html#apple-codesign-app-store-connect-api-key

Says you must cough up dollars to apple. Elons musks Twitter blue badge is a charity compared to apple badge of apple fanboy Stockholm syndrome

[alucryd]

@gedw99 Invoking rcodesign on the resulting binaries is enough: rcodesign sign $f.