Add fall-back to /usr/bin/codesign

... in case the `codesign` binary is not part of the directory where the `ar` tool resides. This might happen when not using a toolchain configured by nixpkgs_cc_configure, but instead using one from a nix-shell. The codesign tool is not part of a nixpkgs stdenv cc toolchain by default.
tweag · May 14, 2024 · 42068b0 · 42068b0
1 parent e5dba70
commit 42068b0
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/haskell/private/cc_wrapper.py.tpl b/haskell/private/cc_wrapper.py.tpl
@@ -931,12 +931,16 @@ def darwin_rewrite_load_commands(rewrites, output):
     if args:
         subprocess.check_call([INSTALL_NAME_TOOL] + args + [output])
         # Resign the binary after patching it.
+        # Fall back to /usr/bin/codesign if the `CODESIGN` executable is not available
+        # (this might happen when using a default cc toolchain from a nix shell on Darwin instead
+        #  of using a nixpkgs_cc_configure'd toolchain).
+        codesign = CODESIGN if os.access(CODESIGN, os.X_OK) else "/usr/bin/codesign"
         # This is necessary on MacOS Monterey on M1.
         # The moving back and forth is necessary because the OS caches the signature.
         # See this note from nixpkgs for reference:
         # https://github.com/NixOS/nixpkgs/blob/5855ff74f511423e3e2646248598b3ffff229223/pkgs/os-specific/darwin/signing-utils/utils.sh#L1-L6
         os.rename(output, f"{output}.resign")
-        subprocess.check_call([CODESIGN] + ["-f", "-s", "-"] + [f"{output}.resign"], env = {'CODESIGN_ALLOCATE': CODESIGN_ALLOCATE})
+        subprocess.check_call([codesign] + ["-f", "-s", "-"] + [f"{output}.resign"], env = {'CODESIGN_ALLOCATE': CODESIGN_ALLOCATE})
         os.rename(f"{output}.resign", output)