Apply an ad-hoc signature after modifying IDs

[mistydemeo]

If we make any changes to a signed binary, we invalidate the signature. Without resigning, the resulting binary is unusable. To my knowledge, there's no disadvantage to signing an unsigned binary using an ad-hoc signature, so we can just do this unconditionally to ensure we don't end up creating bad binaries. The ad-hoc signature should always be available and always work, so this should be safe to do in all circumstances.

I do still need to confirm which OS versions this will work with.

[woodruffw]

LGTM! Do you happen to have a before-and-after diff of the ad-hoc signed binary? I can look into reimplementing it in pure-Ruby at a later point 🙂

[MikeMcQuaid]

Makes sense to me! A few style suggestions but something like this would be a good fit.

[woodruffw]

Nit: I think it might make sense to raise an UnsupportedError or similar here instead of silently returning. I can take care of that this afternoon, if that sounds good to others.

[mistydemeo]

Thinking of having that be rescued in each of the Tools methods?

[woodruffw]

Ah, I guess it would have to be, to avoid breaking those methods on non-macOS platforms 😞

Hmm, that itself isn't ideal. I'm fine with leaving it as is for now 😅

[SMillerDev]

I'm having an issue on the Big Sur beta that fails some ruby gem builds with this error, is it related?:

Error: Failed to read Mach-O binary: /usr/local/Cellar/test-kitchen/2.7.2/libexec/extensions/universal-darwin-20/2.6.0/bcrypt_pbkdf-1.0.1/bcrypt_pbkdf_ext.bundle
Error: An exception occurred within a child process:
  MachO::LoadCommandError: Unrecognized Mach-O load command: 0x80000034

[woodruffw]

@SMillerDev That's unrelated, but it's also a new change to Mach-O:

#define LC_DYLD_EXPORTS_TRIE (0x33 | LC_REQ_DYLD) /* used with linkedit_data_command, payload is trie */
#define LC_DYLD_CHAINED_FIXUPS (0x34 | LC_REQ_DYLD) /* used with linkedit_data_command */

I'll create a PR for it in a moment.