Closed indygreg closed 2 years ago
The rcodesign
executables have this issue as well.
The dependency came from the apple-xar
crate via the xz2
Rust crate. That crate has a static
feature to ensure liblzma is statically linked. But this feature doesn't exist in a published crate version. I requested a release in https://github.com/alexcrichton/xz2-rs/issues/97.
In the mean time, we can work around this by forcing the linker to prefer the macOS SDK liblzma copy or rewrite the Mach-O afterwards to change the path of liblzma (assuming all referenced symbols are in the system's liblzma). That assertion may not be correct if the system liblzma is old (which is often the case with 3rd party libraries in macOS).
I may have aggravated this into a fatal error by enabling the hardened runtime setting in the code signature of distributed macOS binaries.
The bad liblzma dependency/path was present in the rcodesign 0.14 release binaries. But those run just fine! However, in the just-released 0.15 release binaries:
dyld: Library not loaded: /usr/local/opt/xz/lib/liblzma.5.dylib
Referenced from: /Users/runner/Library/Application Support/hatch/env/virtual/pyapp-UYSILkbu/build/bin/pyoxidizer
Reason: no suitable image found. Did find:
/usr/local/opt/xz/lib/liblzma.5.dylib: code signature in (/usr/local/opt/xz/lib/liblzma.5.dylib) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
/usr/local/opt/xz/lib/liblzma.5.dylib: stat() failed with errno=1
We could disable the hardened runtime. But then we won't be able to pass Apple notarization checks.
Turns out lzma-sys
's build script looks for an LZMA_API_STATIC
environment variable to force static linking (https://github.com/alexcrichton/xz2-rs/blob/949294ec701ee1727e1b2d5541bcf9e644ac0764/lzma-sys/build.rs#L12). So we can just set that in CI runners to get the same effect as the static
feature.
The linking of this dylib outside the macOS base install is wrong and likely a regression from 0.21. I'm not sure where the dependency came from. Likely via a Rust crate.