Error when codesigning Racket created executable - codesign_allocate: file not in an order that can be processed
Seamus Brady
I have a Racket based executable that I created using race exe / raco distribute on macOS.
I am trying to code sign it now so it passes through the macOS GateKeeper.
I had to add a few symlinks and edit the Info.plist to get the Racket framework signed. That worked fine. But when I try to sign the actual main executable in the app and the app itself, I am getting the error below:
"codesign_allocate: file not in an order that can be processed (link edit information does not fill the __LINKEDIT segment)"
As a result the app gets rejected by the spctl assess check.
I cannot find any bug reports or Stackoverflow issues about Racket binaries and codesigning on macOS but there seems to be similar problems with other open sources binaries (such as binaries produced by PyInstaller). The problem is a known one.
I was hoping that someone could provide some advice if anyone has seen similar problems.
Thanks in advance
Seamus
Norman Gray
Seamus, hello.
On 2 Jul 2017, at 22:57, Seamus Brady wrote:
> I cannot find any bug reports or Stackoverflow issues about Racket
> binaries and codesigning on macOS but there seems to be similar
> problems with other open sources binaries (such as binaries produced
> by PyInstaller). The problem is a known one.
>
> I was hoping that someone could provide some advice if anyone has seen
> similar problems.
similar a few years ago [1], and concluded that it was infeasible, then.
It seems that signing involves editing the OS X binary, and that is
hard to do after linking.
Apologies if you've already found [1] on stackoverflow -- I mention it
here since the post has a title that isn't obviously about code-signing.
Best wishes,
Norman
[1]
https://stackoverflow.com/questions/4022495/how-can-i-add-sections-to-an-existing-os-x-executable
--
Norman Gray : https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
Matthew Flatt
removes the signature from the starting executable as it creates a new
one.
Specifically, it looks like `raco exe` fails to detect how much padding
was added to the original `__LINKEDIT` segment to add a code signature,
which is necessary for `raco exe` to remove that signature.
I'll try to fix that problem, but to make progress for now, you can
change
collects/compiler/private/mach-o.rkt
and replace the call on line 164 to `detect-linkedit-padding` with the
constant 12 --- since 12 seems to be the right number for the v6.9
build, but `detect-linkedit-padding` thinks it's 8.
> You received this message because you are subscribed to the Google Groups
> "Racket Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to racket-users...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Matthew Flatt
> to make progress for now, you can
> change
>
> collects/compiler/private/mach-o.rkt
>
> and replace the call on line 164 to `detect-linkedit-padding` with the
> constant 12 --- since 12 seems to be the right number for the v6.9
> build, but `detect-linkedit-padding` thinks it's 8.
Seamus Brady
Thank you Matthew and Norman for taking the time to reply. I got a bit further than Norman :)
The trick from Matthew did the trick and that Racket based app gets signed and passes all the local GateKeeper checks :) Great stuff. This means that I get create a commercial grade application using Racket - I am delighted. Thank you, thank you.
As some extra feedback that may be useful to other readers, I also had to edit the app slightly to conform to Apples latest app guidelines:
I needed to add Resources folder and an Info.plist with the correct CFBundleIdentifier set for the Racket Framework:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="0.9">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>Racket</string>
<key>CFBundleIdentifier</key>
<string>org.racket-lang.Racket</string>
<key>CFBundleIconFile</key>
<string>Starter</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleSignature</key>
<string>MrSt</string>
<key>CFBundleVersion</key>
<string>6.9</string>
<key>CFBundleShortVersionString</key>
<string>6.9</string>
<key>NSPrincipalClass</key>
<string>NSApplicationMain</string>
<key>NSHighResolutionCapable</key>
<true></true>
<key>NSSupportsAutomaticGraphicsSwitching</key>
<true></true>
</dict>
</plist>
Then I updated the framework folders using the bash script below so that they conform to the new folder structure as outlined in the Apple docs:
cd .<MyApp>.app/Contents/Frameworks/Racket.framework/Versions/
ln -s ./6.9_3m Current
cd ./<MyApp>.app/Contents/Frameworks/Racket.framework/
ln -s ./Versions/Current/Racket Racket
ln -s ./Versions/Current/Resources Resources
Then I signed the app using the codesign utility as outlined below:
https://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
I hope that helps. Again, many thanks. I am very grateful to get this working. I would have lost weeks ot work otherwise!
Regards
Seamus
David Storrs
--
You received this message because you are subscribed to the Google Groups "Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscribe@googlegroups.com.
Norman Gray
Seamus, hello.
On 3 Jul 2017, at 23:17, Seamus Brady wrote:
> I got a bit further than Norman :)
discussion.
> The trick from Matthew did the trick and that Racket based app gets
> signed and passes all the local GateKeeper checks :) Great stuff.
All the best,
Norman