Closed sondr3 closed 8 months ago
Huh, that's weird.
I haven't used GitHub's new M1 macOS runners before. I'm not sure if the problem is with GHC, macOS, GitHub, or something else.
I thought maybe Gatekeeper was the problem, but I couldn't get it working even with some various xattr
and codesign
commands.
I don't really know how to proceed here. I may need to sign/notarize the binary.
I'm not sure it's codesigning, I've signed the binary manually locally using both codesign
and rcodesign
and it still exits with SIGKILL
. Compiling and running it locally works fine and the codesign
tool says no issues with it, and comparing the output doesn't tell me anything is wrong with it.
I tried running the binary in lldb
to see what it says, it errors with error: Bad executable
.
If you compile locally, it gets linker signed, so it will run on that mac without issues.
If you want to run that same build you compiled locally, on another mac, you'll need to code sign (with at least adhoc method). But that sometimes does not work well either. I'd recommend paying Apple 99$ yearly and getting into the developer program. Then, you can get the actual certificates and sign with them. It will run on any mac with no problem afterwards.
rcodesign
is a workaround, but afaik you should be able to feed the apple certificates to it... (I haven't tested this)
That does not sound correct, all the binaries I've installed via Homebrew work and they only sign using the ad-hoc
method: https://github.com/Homebrew/brew/blob/6a9c9c00a028cf0bcf7da5a9e5b28c861a981ebd/Library/Homebrew/extend/os/mac/keg.rb#L33.
edit: you may be right about the linker-signed
thing though, not sure how that works on CI/similar, but the codesigning with a certificate seems to be a different thing.
edit2: I just added macos-14
to one of my own projects and published it (using Rust/cargo, but still similar) and I can download the git-ignore-aarch64-apple-darwin.tar.gz
package and run the binary no issues.
Ad-hoc one works when you install with curl
, wget
and tools alike (I think Homebrew also under the hood used one of those...). If you try to download it via Safari for example, then you will likely run into problems.
Doesn't work with either curl
or wget
for me sadly, it still gets SIGKILL
ed.
Could you check what the output of this is?
codesign -vvvv <path_to_your_binary>
That might give some useful info about code signature.
And then there is the option to make this a system service and run like that. If I recall, that gives some more info about why the SIGKILL occurs. But, this is a bit of a laborious thing to do...
Yeah, that looks good too. Unfortunately I dunno what might be the issue here. Might be something to do with the compilation as you guys discussed earlier.
I copied over and adapted the release pipeline I use for my Rust crates and tested it for this project, and... everything works. The binaries are signed with (ad-hoc,linker-signed)
and I can download them via both the browser and terminal tools and run it without problems. Not sure what the problem could be, I used the same version of GHC and macOS, just using the more common YAML pipeline syntax. You can take a look at the pipeline here and try the artifacts here.
Thanks for investigating! Can you try the assets on the 1.0.2.1 release? Both arm64 and x64 worked for me on my M1 machine.
I'm not entirely sure what the problem was, but I think it was UPX. I removed that. I also ad-hoc signed the binaries with codesign -s - ...
(maybe this is unnecessary). See #25 for more info.
Works fine now 😄 Could be that it's UPX, yeah. I use strip
on my binaries in Rust and haven't had any problems, but maybe UPX is more aggressive.
I downloaded the
arm64
variant of the binary and made it executable, but it just errors out immediately:I'm guessing this is some form of GHC miscompilation that strikes again. The
x64
binary works fine.