search

bazelbuild / rules_apple

Bazel rules to build apps for Apple platforms.
Apache License 2.0
507 stars 261 forks source link

Unable to strip frameworks in ipa_post_processor (invalid signature) #1953

Open andre-alves opened 1 year ago

andre-alves commented 1 year ago

I'm trying to strip frameworks to decrease app size (as suggested by EmergeTools). Here is the ipa_post_processor:

#!/bin/bash

set -eu

WORKDIR="$1"
APPDIR="$WORKDIR/Payload"

for app in $(find "$APPDIR" -type d -maxdepth 1 -mindepth 1); do
  # Strip symbols from frameworks, as long as the framework is NOT signed by Apple
  find "$app/Frameworks" -type f -perm +111 -maxdepth 2 -mindepth 2 -exec bash -c "/usr/bin/codesign -v -R='anchor apple' {} &> /dev/null || (echo {} && /usr/bin/strip -rSTx {})" \;
done

The script works fine but the app fails to install afterwards due to an invalid signature:

codesign --verify --verbose MyApp.app/Frameworks/SendbirdChatSDK.framework
MyApp.app/Frameworks/SendbirdChatSDK.framework: invalid signature (code or signature have been modified)
In architecture: arm64

I would expect it to work given that codesign is executed after ipa_post_processor.

Maybe something has changed since this issue?

Environment:

---- EDIT ----

Still happens with rules_apple 3.1.1 and Xcode 15.0

qyang-nj commented 1 year ago

We ran into this as well, with the following crash log. This is launching in simulator. (I used to think that simulator doesn't verify code signature.)

Exception Type:  EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Subtype: UNKNOWN_0x32 at 0x000000011d4c4000
Exception Codes: 0x0000000000000032, 0x000000011d4c4000
VM Region Info: 0x11d4c4000 is in 0x11d4c4000-0x11d520000;  bytes after start: 0  bytes before end: 376831
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      mapped file                 11d498000-11d4c4000    [  176K] r--/rwx SM=COW  ...t_id=2d3d2fa5
--->  mapped file                 11d4c4000-11d520000    [  368K] r-x/rwx SM=COW  ...t_id=30240fa5
      VM_ALLOCATE (reserved)      11d520000-11d548000    [  160K] rw-/rwx SM=NUL  ...(unallocated)
Termination Reason: CODESIGNING 2 Invalid Page

From the doc here, ipa_post_processor is "a tool that edits this target's archive after it is assembled but before it is signed". Maybe we're not supposed to modify the prebuilt frameworks?

lucasmarcal-faire commented 3 months ago

Are there any updates regarding this? Have you found a workaround for this issue?