darwin/macos: keep bundled C extensions linker-signed (no explicit codesign)#22
Merged
Merged
Conversation
…er-signed)
strip_framework() already strips every .so/.dylib, and on arm64 they keep the
*linker-signed* adhoc signature install_name_tool/strip apply (CodeDirectory
flags 0x20002). codesign_framework() was then re-signing the .so with
`codesign -s -`, replacing that with an *explicit* adhoc signature (flags 0x2).
An explicit adhoc signature is treated as final: a downstream Xcode app build
refuses to strip it ("not stripping binary because it is signed", once per
extension) and won't re-sign it. A linker-signed signature is replaceable, so
the app build strips + re-signs the extension cleanly — exactly like a pip
wheel's .so.
Sign only the framework binary and the bundled OpenSSL dylibs; leave the
lib-dynload .so stripped + linker-signed. They're extracted into the stdlib
resource tree, so they aren't covered by the framework's own seal anyway. Result
for any consuming app (SPM or CocoaPods): no per-extension strip warnings and a
smaller app, since Xcode can finally strip + re-sign them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
macOS
lib-dynload/*.so(and the bundled extensions generally) ship with anexplicit adhoc signature (CodeDirectory
flags=0x2). When a downstream app(Flutter/Xcode, via serious_python — SPM or CocoaPods) bundles them as
resources, Xcode's Release "strip" phase refuses to strip a code-signed Mach-O
(stripping invalidates the signature) and emits one warning per extension:
…and the extensions stay unstripped, bloating the app.
Root cause
strip_framework()already strips every.so/.dylib, and on arm64 they keepthe linker-signed adhoc signature (
flags=0x20002) thatinstall_name_tool/
stripre-apply — a replaceable signature.codesign_framework()thenre-signs each
.sowithcodesign -s -, replacing that with an explicitadhoc signature (
0x2), which the toolchain treats as final and won't strip orre-sign.
A pip wheel's
.so(e.g. numpy) keeps its linker-signed signature and sailsthrough Xcode's strip + re-sign with no warnings — the only difference was this
explicit re-sign.
Fix
codesign_framework()now signs the framework binary and the bundled OpenSSL.dylib, but not the C-extension.so— leaving them stripped +linker-signed (replaceable), exactly like a wheel. They're extracted into the
stdlib resource tree, so they aren't covered by the framework's own seal.
Verification (this branch's CI artifacts, run 27911450856)
lib-dynload/*.so: 60/60 nowflags=0x20002 (adhoc, linker-signed)(was0x2), and smaller (_ssl420000 → 387080).dlopenfails only on undefined Python symbols, not on the signature.codesign --verifyreports "not signed at all" — identical to a numpy wheel.so(the normal linker-signed quirk; the consuming app re-signs them).Pythonbinary + OpenSSLlibssl.dylibunchanged (still explicit0x2).Net for any consuming app (SPM or CocoaPods): the macOS extensions strip + re-sign cleanly — no more per-extension "not stripping" warnings, smaller bundles.