Open paambaati opened 10 months ago
If it's possible to only incur the 350ms fixed build time increase when I pass in a --makeCodesignable
flag or something I think that'd be a good solution (as apposed to finding a more performant solution).
👀 If it's possible to only incur the 350ms fixed build time increase when I pass in a
--makeCodesignable
flag or something I think that'd be a good solution (as apposed to finding a more performant solution).
I agree a flag would be amazing, currently can't ship bun desktop applications without signing
@Electroid @Jarred-Sumner FWIW, Deno has landed support for codesigning Windows and macOS executables in https://github.com/denoland/deno/pull/24604 and it is expected to land in Deno 1.46.
cc @Jarred-Sumner - we cannot ship binaries to Mac ecosystem yet.
We get:
$ codesign --force --sign ... compiled.bin
main executable failed strict validation
The most we have by way of actual documentation from Apple is from Technical Note TN2206: macOS Code Signing In Depth.
codesign says my main executable failed strict validation.
- Your Mach-O executable does not conform to modern Mach-O layout rules.
- You may be using a third party development product that hasn't been brought up to date, or post-processed your file in unsupported ways.
ah, It's not just me, gotta try Deno I guess
edit: Deno single executable was worse
This is pretty much a hard requirement for us, and we'd happily take a 350ms hit on build time, especially if it can be toggled only for distribution builds.
Btw, Bun team, if you can provide some guidance as to what you tried previously (as per your code comment) we could potentially contribute something along the lines of what @YoavCodes suggested.
for what it's worth in the meantime while building https://www.electrobun.dev I implemented code signing on mac. but it essentially builds a mac application bundle (ie: folder) and code signs/notarizes your bundle which includes the bun binary and separate bundled js and other binaries.
so creating an app bundle and code signing/notarizing that is a workaround for distributing a "single" code signed thing.
but it'd be nice to be able to compile and sign/notarize a single binary for cli apps and terminal based utilities.
That's interesting, thanks for sharing @YoavCodes! We'll take a closer look.
But still agreed, I think the CLI tool use-case is broadly important for a tool like this. Bun does a lot of stuff super well, not least in the context of CLIs—faster startup times than alternatives and generally very smooth compilation+bundling, among other things—so it'd be a shame to get blocked on a last-mile thing like this.
It'd be a bit difficult to work it out from scratch, but any notes on prior attempts from the Bun team would be great to help others contribute.
Btw I'd also argue that a fixed 350ms cost is not exactly terrible for binary builds, since a lot of rapid iteration happens without those. At any rate an option to make the binary signable at the expense of marginally slower build time would make a lot of sense.
Hey guys, just as an update, I’ve talked to Jared about this a few times and everyone is on some page that we gotta be able to sign binaries.
build —binary currently breaks whatever metadata block and that’s why it doesn’t work. I expect within a few versions this will be fixed.
@YoavCodes I was looking into that, do you have any links or notes on distributing the codesigned app folder? The simplest form is actually just App.app/App
, no other files.
Here's the way I distribute WebhookPrinter.com Mac package while waiting Bun sign support
@YoavCodes I was looking into that, do you have any links or notes on distributing the codesigned app folder?
Can take a look at the build
command of the Electrobun cli (which is actually an unsigned single-file bun executable itself, distributed via npm that I'd love to sign)
I'm just a guy building an Electron alternative so the code is a bit messy and I probably went further than you'll want to but essentially for distribution it's:
$ <path to bundled bun> <path to entrypoint.js>
and acts as the main entrypoint for the bundleNotes:
$ open <path to app bundle>
or run the main binary directly $ <path to app bundle>/Contents/MacOS/yourBinary
open
command or double clicking you typically need a plist
file that tells it which binary in the bundle is the one that'll openplist
file with entitlements for protected system resources you need access to and the terminal command apple provides will just staple it to the bundle or the binary or whatever you're notarizing
What version of Bun is running?
1.0.13+f5bf67bd1
What platform is your computer?
Darwin 23.1.0 arm64 arm
What steps can reproduce the bug?
Attempt to code-sign the compiled executable with the command –
See the error –
What is the expected behavior?
The executable should be code-signed correctly and runnable on the system without Gatekeeper blocks/prompts.
What do you see instead?
Additional information
FWIW, Deno's compiled binaries face the same issue (although I'm not sure if the root cause is the same) – see https://github.com/denoland/deno/issues/575 and https://github.com/denoland/deno/issues/17753