GNU bug report logs - #43878
emacs fails to build on recent macOS 11.0 ARM betas

Previous Next

Package: emacs;

Reported by: Itai Seggev <is <at> cs.hmc.edu>

Date: Fri, 9 Oct 2020 07:30:01 UTC

Severity: important

Tags: fixed

Merged with 44774

Found in version 27.1

Fixed in version 28.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Daniel Martín <mardani29 <at> yahoo.es>
To: Itai Seggev <is <at> cs.hmc.edu>
Cc: 43878 <at> debbugs.gnu.org
Subject: bug#43878: emacs fails to build on recent macOS 11.0 ARM betas
Date: Fri, 09 Oct 2020 22:57:41 +0200

Itai Seggev <is <at> cs.hmc.edu> writes:

> In the last few betas of macOS on ARM, Apple has start enforcing a requirement
> that all code be properly signed.  The linker automatically adds an "ad-hoc"
> signature.  (At least for now, this is not required on x86_64, though I imagine
> it is only a matter of time given Apple's public statements on code signing.)
>
> The emacs build fails when the temacs is called to compile the Lisp files.
> I've tracked this down to the call to make-fingerprint on temacs.tmp.  The call
> modifies the Macho-O temacs.tmp after it was linked and signed, invaldinating
> the code signature.  When it is launched, it is killed with a SIGABORT by the
> OS due to the invalid signature.
>
> I've come up with a couple of workarounds in my local build.  First, if I
> modifiy make-fingerprint to not store the result in the Mach-O, then everything
> seems to build fine.  It's not entirely clear to me what the purpose of this
> modification of the Macho-O is, so I don't know if such a solution is
> acceptable upstream.
>
> If it is not, then the signature _must_ be repaired after make-fingerprint is
> run.  This can be done quite simply, using 'codesign -s - -f temacs.tmp', which
> creates a new "ad-hoc" signature for the executable.
>
> If necessary, I am happy to test a patch / branch on my machine.
>

The approach to resign the executable after temacs invalidates the
digital signature seems like a good approach to me. It's also
the recommended approach in Apple's release notes:
https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11-universal-apps-beta-release-notes

Note that we may want to preserve some metadata from the original
digital signature and resign the Mach-O file with something like:

codesign -s - —preserve-metadata=identifier,entitlements,flags,runtime -f temacs.tmp

But I'm not sure if it'd make a significant difference.
This bug report was last modified 4 years and 180 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.