Build error with ../configure --ios --cpu arm64 --disable-demo --disable-tests (Code Signing)

[gorkalinaza-accedo]

Hi there,

Got this error when trying to configure a build:

Loading required submodules... Downloading GN from cloud storage... Generating files for boringssl... Standard output: Automatic code signing identity selection was enabled but could not find exactly one code signing identity matching iPhone Developer. Check that your keychain is accessible and that there is a valid code signing identity listed by "xcrun security find-identity -v -p codesigning" TIP: Simulator builds don't require code signing... ERROR at //build/config/ios/ios_sdk.gni:151:7: Assertion failed. assert(false) ^----- See //build/config/ios/rules.gni:5:1: whence it was imported. import("//build/config/ios/ios_sdk.gni") ^-------------------------------------- See //BUILD.gn:16:3: whence it was imported. import("//build/config/ios/rules.gni") ^------------------------------------

Due to 'ios_sdk.gni' configuration, it tries to get the code signing identity comparing the current ones with the matching string "iPhone Developer" at:

ios_code_signing_identity_description = "iPhone Developer"

This has changed to "Apple Development". It can't be modified, 'configure' file the current "ios_sdk.gn" file is loaded and overriden: Any way to set this?

[TheModMaker]

You can use --gn-args to set other GN variables. So either of these may work:

./configure --gn-args 'ios_code_signing_identity_description="Apple Development"'
./configure --gn-args 'ios_code_signing_identity="123456..."'

[jgongo]

I just got the same error. Why are the frameworks code signed at all?

The frameworks are imported in an app, so they get re-codesigned with the signing identity configured in that app's project. I'm even generating a fat framework to be internally distributed using Cocoapods, and in that process the signature is stripped away.

So summing up, code signing the generated frameworks seems to be unneeded and error prone. Can this be disabled?

[TheModMaker]

I think you can disable it with --gn-args 'ios_enable_code_signing=false, but I haven't tested it. Code signing the framework has the advantage of allowing developers to verify the integrity and source of pre-built frameworks. So the framework in the releases tab will be signed so you can know it was from us and not tampered. But we could manually enable it again for those builds.

I'm not sure what the correct thing to do is. It seems odd to create frameworks that aren't signed since Apple default signs these things. It may also be a requirement of some build systems or distribution to only accept signed builds. But if you're building yourself, you don't need to sign it.

So maybe best would be to default to not signing and have an --enable-code-signing flag?

[jgongo]

I think you answered your own question 😃 As you said, code signing the framework serves the purpose of letting developers to verify the integrity of pre-built frameworks. That makes sense if you are distributing a closed source framework in binary format. But here we are talking about an open source project in which every developer may build his own version of the framework and then include it in his project, where it will be immediately re-codesigned.

So my vote goes for disabling code signing by default, as I think code signing is not really needed and more error prone in this case 😃