Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: code signing command is not the last loader command, so cannot remove it (easily) without corrupting the binary error #317

Open
cfergeau opened this issue Mar 4, 2024 · 3 comments
Assignees
Labels
bug Something isn't working

Comments

@cfergeau
Copy link
Contributor

cfergeau commented Mar 4, 2024

What happened:

I'm getting this error code signing command is not the last loader command, so cannot remove it (easily) without corrupting the binary quite often with binaries built with golang 1.21. Looking at them with machoview, there's a LC_SEGMENT_64 (__DWARF) command after the LC_CODE_SIGNATURE command, so it's expected that isSigningCommandLastLoader reports false

What you expected to happen:

No error, and a signed binary :)

How to reproduce it (as minimally and precisely as possible):

I can reproduce this with the binaries from https://github.com/crc-org/crc or https://github.com/crc-org/vfkit

Anything else we need to know?:

Looking at the code quill/macho/file.go and at the outptu of machoview , it looks like it should be doable to either reorder the load commands (they are only pointers to other parts of the file), or to reuse the signature command instead of first removing it, and then recreating it. The signature command, while not last in the load commands array, contains an offset + len which correspond to the end of the file (ie offset + len == total filesize) so we could replace this signature with the newly computed one.

Environment:
I've been seeing this with golang 1.21 on an m1 laptop.

$ sw_vers
ProductName:		macOS
ProductVersion:		14.3.1
BuildVersion:		23D60
@cfergeau cfergeau added the bug Something isn't working label Mar 4, 2024
@tgerla
Copy link

tgerla commented Mar 7, 2024

Hi @cfergeau, thanks for the report. We'll take a look as soon as we can.

@spiffcs
Copy link
Contributor

spiffcs commented Apr 23, 2024

Thanks for the entitlement support @cfergeau - before I do a release (when I have some time) I can look at this bug too and make sure it's resolved before the next quill goes out. We really appreciate the reports here =)

@spiffcs spiffcs changed the title code signing command is not the last loader command, so cannot remove it (easily) without corrupting the binary error bug: code signing command is not the last loader command, so cannot remove it (easily) without corrupting the binary error Apr 25, 2024
@wagoodman wagoodman moved this to Backlog in OSS May 2, 2024
@wagoodman
Copy link
Contributor

Looks like what is needed here is to be able to rewrite the remaining loader commands that follow the signing loader command if the new signing loader command is of a different size.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Backlog
Development

No branches or pull requests

4 participants