Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deno compile binaries cannot be code signed (macOS, Windows) #11154

Closed
AlexanderOMara opened this issue Jun 27, 2021 · 4 comments · Fixed by #24604
Closed

deno compile binaries cannot be code signed (macOS, Windows) #11154

AlexanderOMara opened this issue Jun 27, 2021 · 4 comments · Fixed by #24604
Labels
compile related to the `deno compile` feature feat new feature (which has been agreed to/accepted)

Comments

@AlexanderOMara
Copy link

AlexanderOMara commented Jun 27, 2021

It looks like the current deno compile implementation simply appends data to the deno binary (like a self-extracting ZIP). Trouble is, since this data isn't integrated as part of the actual executable data, it isn't possible to sign the resulting binary.

For example, on macOS you can't sign the binary:

$ deno compile https://deno.land/[email protected]/examples/cat.ts
Check https://deno.land/[email protected]/examples/cat.ts
Bundle https://deno.land/[email protected]/examples/cat.ts
Compile https://deno.land/[email protected]/examples/cat.ts
Emit cat
$ sudo codesign -s- cat
cat: main executable failed strict validation

Or on Windows signing appears to work, but the signature is appended to become the last thing in the file, so the binary acts like a plain old deno binary again:

PS Microsoft.PowerShell.Core\FileSystem::\\vmware-host\Shared Folders\deno> Set-AuthenticodeSignature .\cat.exe -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)


    Directory: \\vmware-host\Shared Folders\deno


SignerCertificate                         Status                         Path
-----------------                         ------                         ----
1920E80F7BCC0A083ED26CA2CD2A7CFB5B9FA5C6  Valid                          cat.exe


PS Microsoft.PowerShell.Core\FileSystem::\\vmware-host\Shared Folders\deno> .\cat
Deno 1.11.2
exit using ctrl+d or close()
>

Note: Singing the deno binary first also wouldn't help, since modifying the file (appending data) would invalidate the signature by necessity.

In order to be able to sign the binary on macOS, the data would have to be added to the executable as something it recognized, such as a new segment.

I did some research on what it would take to do this on macOS recently, and it's not too hard with a little know-how. All you really have to do is insert a new segment, shift the __LINKEDIT load command down, adjust a few other commands that point to it, and read the segment at run-time.

I've seen similar things done on Windows too, so I'm fairly certain a similar solution for Windows is possible. Putting it in the EXE's resources might also be an option (resource editing would also enable #8912).

@kitsonk
Copy link
Contributor

kitsonk commented Jun 27, 2021

Ref #575

@mxcl
Copy link

mxcl commented May 15, 2023

Notably this is preventing us from bundling pkgx with our .app since it means the notorization fails.

Additionally this prevented us from adding pkgx to Homebrew since their automation requires code signing for M1/M2 chips.

jdoleary added a commit to jdoleary/Eden that referenced this issue Sep 18, 2023
to be distributed so that mac users
can run eden without gatekeeper blocking it.
(Signing does not yet work for Deno executables)
denoland/deno#11154
denoland/deno#17753
denoland/deno#986
@chudnyi
Copy link

chudnyi commented Mar 24, 2024

Notably this is preventing us from bundling tea/cli with tea/gui (our .app) since it means the notorization fails.

Additionally this prevented us from adding tea/cli to Homebrew since their automation requires code signing for M1/M2 chips.

How did you get the "pkgx" binary that macOS skips and allows to run if signing via codesign crashes?

@mxcl
Copy link

mxcl commented May 8, 2024

We sign with || true (lol) which leaves a somewhat signed binary. The main trick we are using is that installing things via curl bypasses gatekeeper.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compile related to the `deno compile` feature feat new feature (which has been agreed to/accepted)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants