search

sqlc-dev / sqlc-gen-python

MIT License
112 stars 14 forks source link

Code signing on Mac #18

Closed bretwalker closed 10 months ago

bretwalker commented 1 year ago

I ran into a problem after upgrading from sqlc-gen-python_1.0.0.wasm to sqlc-gen-python_1.1.0.wasm on a Mac with Apple Silicon.

When I try to run sqlc using the plugin with 1.1.0, the process is killed. Console output:

default 14:57:39.947500-0400 kernel CODE SIGNING: process 18673[sqlc]: rejecting invalid page at address 0x12e498000 from offset 0x4000 in file "" (cs_mtime:0.0 == mtime:0.0) (signed:0 validated:0 tainted:0 nx:0 wpmapped:1 dirty:0 depth:0)

I checked the signature, and I thought it looked fine:

codesign -dvvv --deep sqlc
Executable=/private/var/tmp/_bazel_bretwalker/5f1e154eeb3037a5f000bde1a5a0b737/external/sqlc_release/sqlc
Identifier=sqlc
Format=Mach-O thin (arm64)
CodeDirectory v=20500 size=581360 flags=0x10000(runtime) hashes=18162+2 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=ecc37620dc0926c725d806a625f1a5940e090d6d
CandidateCDHashFull sha256=ecc37620dc0926c725d806a625f1a5940e090d6dac7b613ba3cfce13eec15ffc
Hash choices=sha256
CMSDigest=ecc37620dc0926c725d806a625f1a5940e090d6dac7b613ba3cfce13eec15ffc
CMSDigestType=2
Launch Constraints:
    None
CDHash=ecc37620dc0926c725d806a625f1a5940e090d6d
Signature size=8972
Authority=Developer ID Application: Kyle Conroy (88ZP47B2C5)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jul 31, 2023 at 4:06:00 PM
Info.plist=not bound
TeamIdentifier=88ZP47B2C5
Runtime Version=13.3.0
Sealed Resources=none
Internal requirements count=1 size=164

But after ad hoc signing, the process was no longer killed:

sudo codesign -f -s - sqlc
bretwalker commented 1 year ago

I have a little more info. I needed to downgrade to sqlc 1.19 due to a regression in 1.20, and I also downgraded to the 1.0.0 WASM plugin, and I ran into the same issue. I'm only seeing the error when generating Python code, so I still think it is somehow related to this plugin. Please let me know what other info I can provide or if I should move this issue. Thank you.

kyleconroy commented 1 year ago

Have you tried this with sqlc 1.21? The code signing should be the same for amd64 and arm64 builds. Not sure exactly what's going on.