binutils-wrapper: drop postLinkSignHook

When the linker signs a Mach-O binary, it sets a flag in the signature’s code directory indicating that the signature was generated by a linker. Tools such as `strip` and `install_name_tool` read this flag and will update ad hoc signatures after they perform their modifications. The updated l64 supports signing binaries automatically. Both the updated cctools and LLVM will check for the linker-signed flag and resign binaries they modify automatically when it’s present. Given that, use of postLinkSignHook is unnecessary and potentially harmful. In particular, if the hook is used and an unwrapped `strip` or `install_name_tool` is on the user’s path, they will not automatically update an ad hoc signature. Instead, they will issue a warning and create a binary with a broken signature. It is more robust to let the tools handled this since the only time a signature would not be linker-signed is when the user is manually invoking `codesign` (or another tool such as `sigtool` or `rcodesign`), which by nature of the invocation updates the signature to a valid one. Since `strip` no longer needs to be wrapped for code-signing, binutils-wrapper now uses the GNU strip wrapper on Darwin. Fixes NixOS#208951.
reckenrode · May 5, 2024 · e5280ee · e5280ee
1 parent 4291908
commit e5280ee
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 23 deletions.
diff --git a/pkgs/build-support/bintools-wrapper/default.nix b/pkgs/build-support/bintools-wrapper/default.nix
@@ -55,9 +55,6 @@
  # - static armv7l, where compilation fails.
  && !(targetPlatform.isAarch && targetPlatform.isStatic)
  ) "pie"
-
-# Darwin code signing support utilities
-, postLinkSignHook ? null, signingUtils ? null
 }:
 
 assert nativeTools -> !propagateDoc && nativePrefix != "";
@@ -351,7 +348,7 @@ stdenvNoCC.mkDerivation {
  ##
 
  # TODO(@sternenseemann): make a generic strip wrapper?
- + optionalString (bintools.isGNU or false) ''
+ + optionalString (bintools.isGNU or false || bintools.isCCTools or false) ''
  wrap ${targetPrefix}strip ${./gnu-binutils-strip-wrapper.sh} \
  "${bintools_bin}/bin/${targetPrefix}strip"
  ''
@@ -390,24 +387,6 @@ stdenvNoCC.mkDerivation {
  ''
  )
 
- ##
- ## Code signing on Apple Silicon
- ##
- + optionalString (targetPlatform.isDarwin && targetPlatform.isAarch64) ''
- echo 'source ${postLinkSignHook}' >> $out/nix-support/post-link-hook
-
- export signingUtils=${signingUtils}
-
- wrap \
- ${targetPrefix}install_name_tool \
- ${./darwin-install_name_tool-wrapper.sh} \
- "${bintools_bin}/bin/${targetPrefix}install_name_tool"
-
- wrap \
- ${targetPrefix}strip ${./darwin-strip-wrapper.sh} \
- "${bintools_bin}/bin/${targetPrefix}strip"
- ''
-
  ##
  ## Extra custom steps
  ##

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -17091,7 +17091,6 @@ with pkgs;
  noLibc = (self.libc == null);
 
  inherit bintools libc;
- inherit (darwin) postLinkSignHook signingUtils;
  } // extraArgs; in self);
 
  yaml-language-server = callPackage ../development/tools/language-servers/yaml-language-server { };