RESOLVED FIXED242730
Xcode 14 beta: `error: An empty identity is not valid when signing a binary for the product type 'Command-line Tool'.` 
https://bugs.webkit.org/show_bug.cgi?id=242730
Summary Xcode 14 beta: `error: An empty identity is not valid when signing a binary f...
Elliott Williams
Reported 2022-07-13 17:41:08 PDT
I noticed while working on the open-source Ventura bringup that TestWebKitAPI and WebKitTestRunner have different signing setting than any other project, resulting in them using a "default" code-signing identity when building with the public SDK. This results in build failures like: error: An empty identity is not valid when signing a binary for the product type 'Command-line Tool'. (in target 'WebKitTestRunner' from project 'WebKitTestRunner')
Attachments
Add attachment proposed patch, testcase, etc.
Elliott Williams
Comment 1 2022-07-13 17:45:11 PDT
Pull request: https://github.com/WebKit/WebKit/pull/2396
Radar WebKit Bug Importer
Comment 2 2022-07-20 17:42:16 PDT
<rdar://problem/97350087>
EWS
Comment 3 2022-08-12 14:29:58 PDT
Committed 253391@main (3a3ad5eba5c5): <https://commits.webkit.org/253391@main> Reviewed commits have been landed. Closing PR #2396 and removing active labels.
Karl Rackler
Comment 4 2022-08-15 09:33:57 PDT
This reverts commit 3a3ad5e. Unreviewed revert This reverts because causing 121 api test failures. Canonical link: https://commits.webkit.org/253426@main
Elliott Williams
Comment 5 2022-08-15 18:04:53 PDT
Re-opening for pull request https://github.com/WebKit/WebKit/pull/3334
EWS
Comment 6 2022-08-16 12:11:03 PDT
Committed 253474@main (d245aed03e29): <https://commits.webkit.org/253474@main> Reviewed commits have been landed. Closing PR #3334 and removing active labels.
Elliott Williams
Comment 7 2022-08-17 11:36:56 PDT
Reverted by https://github.com/WebKit/WebKit/pull/3414
EWS
Comment 8 2022-08-17 11:39:26 PDT
Committed 253527@main (808d943f6997): <https://commits.webkit.org/253527@main> Reviewed commits have been landed. Closing PR #3414 and removing active labels.
Elliott Williams
Comment 9 2022-08-17 11:40:48 PDT
Reverted in https://commits.webkit.org/253527@main
Elliott Williams
Comment 10 2022-08-17 14:19:49 PDT
Pull request: https://github.com/WebKit/WebKit/pull/3428
Elliott Williams
Comment 11 2022-09-02 12:32:38 PDT
Since this has gone on for awhile, I should summarize the problem. First, Xcode 14 now defaults to requiring Mac executables to be signed. Other projects have had to adapt to this change by defaulting to ad-hoc signing where they could previously opt out. (e.g. https://gitlab.kitware.com/cmake/cmake/-/merge_requests/7350) I've been trying to use ad-hoc signing for open-source builds of TestWebKitAPI and WebKitTestRunner, but that has caused trusted execution problems. Here's my best understanding as to why. - When EWS builds for Mac: On Intel, we DO NOT sign these TestWebKitAPI and WebKitTestRunner. On Apple Silicon, we "linker sign" them, which is a minimal signing technique that doesn't call `codesign` and ignores entitlements. - When EWS builds for iOS (and other embedded Apple platforms): We ad-hoc sign. This is Xcode's default, as far as I am aware, because the simulators have stricter enforcement of signed binaries. - When Apple engineers build TestWebKitAPI and WebKitTestRunner internally, they sign with the WK_ENGINEERING_CODE_SIGN_IDENTITY. When Apple builds these projects in production, they are ad-hoc signed. Both methods use `codesign` and embed entitlements. - TestWebKitAPI and WebKitTestRunner both have entitlements which require their binaries to have a valid signature, notably NOT an ad-hoc signature. But, since open-source builds are not formally signed, these entitlements are never present on EWS. I have tried to fix the build issue two separate ways: - Disable code signing altogether: When I tried this, iOS test runs started breaking, because of the simulator's signature enforcement. - Use ad-hoc signing for Mac WKTR and TestWebKitAPI: Doing this embeds the sensitive entitlements, which prevent execution on testers. Notably, it's not machine-dependent. I can re-sign these binaries on the test machines with the same entitlement plist, and they will still fail to launch. The kernel logs this message: 2022-09-02 10:58:36.789 Df kernel.development[0:1d5aaf] mac_vnode_check_signature: /Users/emw/Downloads/Release/TestWebKitAPI: code signature validation failed fatally: When validating /Users/emw/Downloads/Release/TestWebKitAPI: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: -- With this in mind, the next thing I want to try to do is turning off these entitlements for open-source builds. Hopefully that can produce ad-hoc-signed executables that will pass the signature check. Alternatively, we could try disabling code signing again, but this time only for Mac builds. Ultimately, it seems like a liability that we do not have a real signing identity for EWS. We should consider creating one and installing it on all EWS builders and testers so that we can do more advanced signing with our open-source build.
EWS
Comment 12 2022-09-06 11:58:45 PDT
Committed 254192@main (e347e3e762ae): <https://commits.webkit.org/254192@main> Reviewed commits have been landed. Closing PR #3428 and removing active labels.
Elliott Williams
Comment 13 2023-01-13 15:14:10 PST
Re-opening for pull request https://github.com/apple/WebKit/pull/288
EWS
Comment 14 2023-01-13 18:37:15 PST
Committed 252432.1028@safari-7614-branch (aa02d3f68425): <https://commits.webkit.org/252432.1028@safari-7614-branch> Reviewed commits have been landed. Closing PR #288 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.