Bug 242730
| Summary: | Xcode 14 beta: `error: An empty identity is not valid when signing a binary for the product type 'Command-line Tool'.` | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Elliott Williams <emw> |
| Component: | Tools / Tests | Assignee: | Elliott Williams <emw> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ap, fred.wang, jbedard, rackler, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=243934 | ||
| Bug Depends on: | 244043 | ||
| Bug Blocks: | 242429 | ||
Elliott Williams
I noticed while working on the open-source Ventura bringup that TestWebKitAPI and WebKitTestRunner have different signing setting than any other project, resulting in them using a "default" code-signing identity when building with the public SDK. This results in build failures like:
error: An empty identity is not valid when signing a binary for the product type 'Command-line Tool'. (in target 'WebKitTestRunner' from project 'WebKitTestRunner')
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Elliott Williams
Pull request: https://github.com/WebKit/WebKit/pull/2396
Radar WebKit Bug Importer
<rdar://problem/97350087>
EWS
Committed 253391@main (3a3ad5eba5c5): <https://commits.webkit.org/253391@main>
Reviewed commits have been landed. Closing PR #2396 and removing active labels.
Karl Rackler
This reverts commit 3a3ad5e.
Unreviewed revert
This reverts because causing 121 api test failures.
Canonical link: https://commits.webkit.org/253426@main
Elliott Williams
Re-opening for pull request https://github.com/WebKit/WebKit/pull/3334
EWS
Committed 253474@main (d245aed03e29): <https://commits.webkit.org/253474@main>
Reviewed commits have been landed. Closing PR #3334 and removing active labels.
Elliott Williams
Reverted by https://github.com/WebKit/WebKit/pull/3414
EWS
Committed 253527@main (808d943f6997): <https://commits.webkit.org/253527@main>
Reviewed commits have been landed. Closing PR #3414 and removing active labels.
Elliott Williams
Reverted in https://commits.webkit.org/253527@main
Elliott Williams
Pull request: https://github.com/WebKit/WebKit/pull/3428
Elliott Williams
Since this has gone on for awhile, I should summarize the problem.
First, Xcode 14 now defaults to requiring Mac executables to be signed. Other projects have had to adapt to this change by defaulting to ad-hoc signing where they could previously opt out. (e.g. https://gitlab.kitware.com/cmake/cmake/-/merge_requests/7350)
I've been trying to use ad-hoc signing for open-source builds of TestWebKitAPI and WebKitTestRunner, but that has caused trusted execution problems. Here's my best understanding as to why.
- When EWS builds for Mac: On Intel, we DO NOT sign these TestWebKitAPI and WebKitTestRunner. On Apple Silicon, we "linker sign" them, which is a minimal signing technique that doesn't call `codesign` and ignores entitlements.
- When EWS builds for iOS (and other embedded Apple platforms): We ad-hoc sign. This is Xcode's default, as far as I am aware, because the simulators have stricter enforcement of signed binaries.
- When Apple engineers build TestWebKitAPI and WebKitTestRunner internally, they sign with the WK_ENGINEERING_CODE_SIGN_IDENTITY. When Apple builds these projects in production, they are ad-hoc signed. Both methods use `codesign` and embed entitlements.
- TestWebKitAPI and WebKitTestRunner both have entitlements which require their binaries to have a valid signature, notably NOT an ad-hoc signature. But, since open-source builds are not formally signed, these entitlements are never present on EWS.
I have tried to fix the build issue two separate ways:
- Disable code signing altogether: When I tried this, iOS test runs started breaking, because of the simulator's signature enforcement.
- Use ad-hoc signing for Mac WKTR and TestWebKitAPI: Doing this embeds the sensitive entitlements, which prevent execution on testers. Notably, it's not machine-dependent. I can re-sign these binaries on the test machines with the same entitlement plist, and they will still fail to launch. The kernel logs this message:
2022-09-02 10:58:36.789 Df kernel.development[0:1d5aaf] mac_vnode_check_signature: /Users/emw/Downloads/Release/TestWebKitAPI: code signature validation failed fatally: When validating /Users/emw/Downloads/Release/TestWebKitAPI:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
--
With this in mind, the next thing I want to try to do is turning off these entitlements for open-source builds. Hopefully that can produce ad-hoc-signed executables that will pass the signature check.
Alternatively, we could try disabling code signing again, but this time only for Mac builds.
Ultimately, it seems like a liability that we do not have a real signing identity for EWS. We should consider creating one and installing it on all EWS builders and testers so that we can do more advanced signing with our open-source build.
EWS
Committed 254192@main (e347e3e762ae): <https://commits.webkit.org/254192@main>
Reviewed commits have been landed. Closing PR #3428 and removing active labels.
Elliott Williams
Re-opening for pull request https://github.com/apple/WebKit/pull/288
EWS
Committed 252432.1028@safari-7614-branch (aa02d3f68425): <https://commits.webkit.org/252432.1028@safari-7614-branch>
Reviewed commits have been landed. Closing PR #288 and removing active labels.