Skip to content

fix(fix-machos): preserve adhoc flag when re-signing entitled binaries#349

Open
tannevaled wants to merge 1 commit into
pkgxdev:mainfrom
tannevaled:fix/codesign-adhoc-flag
Open

fix(fix-machos): preserve adhoc flag when re-signing entitled binaries#349
tannevaled wants to merge 1 commit into
pkgxdev:mainfrom
tannevaled:fix/codesign-adhoc-flag

Conversation

@tannevaled
Copy link
Copy Markdown
Contributor

@tannevaled tannevaled commented May 29, 2026

Summary

  • `--preserve-metadata=entitlements,requirements,flags,runtime` does NOT preserve the adhoc flag (0x2) when re-signing. codesign treats the adhoc bit as identity-derived rather than a preservable flag, so the result is a signed-but-not-adhoc binary (`flags=0x0(none)`).
  • This breaks any binary that needs Virtualization.framework entitlements on macOS: the OS rejects `com.apple.security.virtualization` access if the binary isn't properly ad-hoc signed. Most visible symptom: lima's `limactl start ` with `vmType: vz` silently exits with no error when run from pkgx, while the same version from brew works fine. See lima-vm: vz error with the pkgx version, not with the brew one pantry#7853.
  • Fix: when signing ad-hoc (`signing_id == "-"`) AND the binary has entitlements, take the strip-and-re-sign path directly. That path uses `--entitlements ` instead of `--preserve-metadata`, which produces a clean signature with `flags=0x2(adhoc)` — matching what `codesign -s -` from the binary's own Makefile would produce.
  • Extracted the strip-and-re-sign path into a helper (`resign_with_entitlements!`) so the two codepaths can't drift.

Diagnostic before/after

Tested on a pkgx-installed `limactl`:

before: CodeDirectory v=20400 flags=0x0(none)  location=embedded
after:  CodeDirectory v=20400 flags=0x2(adhoc) location=embedded

Entitlements (the 3 lima needs: `com.apple.security.network.client`, `com.apple.security.network.server`, `com.apple.security.virtualization`) are preserved in both cases.

Test plan

  • Build any darwin recipe whose binary already does its own `codesign --entitlements` step (eg. `lima-vm.io`)
  • Verify the resulting bottle binary has `flags=0x2(adhoc)` set
  • Verify entitlements survive (`codesign --display --entitlements -`)
  • Sanity-check non-entitled binaries still get signed correctly (most pkgx bottles)
  • Confirm lima `limactl start ` with `vmType: vz` works from a freshly-built bottle on macOS 15+ (the primary bug report)

Risk

  • Touches the codesigning logic that runs on every darwin macho file
  • Behavior change is narrow: only when (signing_id is ad-hoc) AND (binary has entitlements). Both conditions are required — non-entitled binaries take the original path unchanged
  • The fallback path it uses was already in the codebase as the "preserve-metadata failed" branch; this just makes it the primary path for the entitled+ad-hoc case

🤖 Generated with Claude Code

@tannevaled
fix(fix-machos): preserve adhoc flag when re-signing entitled binaries
e34aaae 
`--preserve-metadata=entitlements,requirements,flags,runtime` does NOT
preserve the adhoc flag (0x2) when re-signing. codesign treats the
adhoc bit as identity-derived rather than a preservable flag, so the
result is a signed-but-not-adhoc binary (flags=0x0(none)).

This breaks any binary that needs Virtualization.framework entitlements
on macOS: the OS rejects `com.apple.security.virtualization` access if
the binary isn't properly ad-hoc signed. Most visible symptom: lima's
`limactl start <vm>` with `vmType: vz` silently exits with no error
when run from pkgx, while the same version from brew works fine.

See pkgxdev/pantry#7853.

Fix: when signing ad-hoc (signing_id == "-") AND the binary has
entitlements, take the strip-and-re-sign path directly. That path
uses `--entitlements <file>` instead of `--preserve-metadata`, which
produces a clean signature with flags=0x2(adhoc) — matching what
`codesign -s -` from the binary's own Makefile would produce.

Extracted the strip-and-re-sign path into a helper to keep the two
codepaths from drifting.

Diagnostic before/after on a pkgx-installed limactl:

  before: CodeDirectory v=20400 flags=0x0(none) location=embedded
  after:  CodeDirectory v=20400 flags=0x2(adhoc) location=embedded
Copilot AI review requested due to automatic review settings May 29, 2026 09:26
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tannevaled tannevaled mentioned this pull request May 29, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tannevaled