From fe1b200f97c6dfacb95eb2b49f77636acadf7c75 Mon Sep 17 00:00:00 2001 From: Feodor Fitsner Date: Sun, 21 Jun 2026 10:05:18 -0700 Subject: [PATCH] darwin/macos: don't explicit-codesign bundled C extensions (keep linker-signed) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit strip_framework() already strips every .so/.dylib, and on arm64 they keep the *linker-signed* adhoc signature install_name_tool/strip apply (CodeDirectory flags 0x20002). codesign_framework() was then re-signing the .so with `codesign -s -`, replacing that with an *explicit* adhoc signature (flags 0x2). An explicit adhoc signature is treated as final: a downstream Xcode app build refuses to strip it ("not stripping binary because it is signed", once per extension) and won't re-sign it. A linker-signed signature is replaceable, so the app build strips + re-signs the extension cleanly — exactly like a pip wheel's .so. Sign only the framework binary and the bundled OpenSSL dylibs; leave the lib-dynload .so stripped + linker-signed. They're extracted into the stdlib resource tree, so they aren't covered by the framework's own seal anyway. Result for any consuming app (SPM or CocoaPods): no per-extension strip warnings and a smaller app, since Xcode can finally strip + re-sign them. --- darwin/build_macos.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/darwin/build_macos.py b/darwin/build_macos.py index 504e677..c2ba5ac 100644 --- a/darwin/build_macos.py +++ b/darwin/build_macos.py @@ -483,10 +483,19 @@ def make_relocatable(framework: Path, short: str) -> None: def codesign_framework(framework: Path, short: str) -> None: args = ["codesign", "-s", "-", "--preserve-metadata=identifier,entitlements,flags,runtime", "-f"] run(args + [framework / "Versions" / short / "Python"]) - for pattern in ("*.dylib", "*.so"): - for binary in framework.rglob(pattern): - if binary.is_file(): - run(args + [binary]) + # Sign the framework binary and the bundled OpenSSL dylibs, but NOT the + # C-extension .so. strip_framework() already left them stripped and + # *linker-signed* (the replaceable adhoc signature install_name_tool/strip + # apply on arm64). Re-signing with `codesign -s -` would replace that with an + # *explicit* adhoc signature (CodeDirectory flags 0x2 instead of 0x20002), + # which a downstream Xcode app build refuses to strip ("not stripping binary + # because it is signed", once per extension) and won't re-sign. A + # linker-signed extension is instead re-signed into the consuming app + # cleanly, exactly like a pip wheel's .so. The .so are extracted to the + # stdlib resource tree, so they aren't covered by the framework's own seal. + for binary in framework.rglob("*.dylib"): + if binary.is_file(): + run(args + [binary]) run(args + [framework])