Zig cc: support `-Wl,-adhoc_codesign` and `-Wl,-no_adhoc_codesign`

[danielslee]

Zig Version

0.11.0

Steps to Reproduce and Observed Behavior

I've been using zig cc in combination with rcodesign and I ran into an issue where rcodesign would complain about there not being enough space left for the signature. This only happened with some programs.

Interestingly this never happened for aarch64 builds. I decided to look into the Zig code, and I found this interesting bit: https://github.com/ziglang/zig/blob/master/src/link/MachO.zig#L691

I patched Zig with the following patch and the issue disappeared completely:

diff --git a/src/link/MachO/load_commands.zig b/src/link/MachO/load_commands.zig
index 8f803d98c..721b4e3c5 100644
--- a/src/link/MachO/load_commands.zig
+++ b/src/link/MachO/load_commands.zig
@@ -105,7 +105,7 @@ fn calcLCsSize(gpa: Allocator, options: *const link.Options, ctx: CalcLCsSizeCtx
         const target = options.target;
         const requires_codesig = blk: {
             if (options.entitlements) |_| break :blk true;
-            if (target.cpu.arch == .aarch64 and (target.os.tag == .macos or target.abi == .simulator))
+            if (target.os.tag == .macos or target.abi == .simulator)
                 break :blk true;
             break :blk false;
         };

Is it possible to add a flag to enable codesigning using zig cc? Or enable it by default, seeing it's already doing that on aarch64? What are the reasons for it to be disabled on amd64?

Expected Behavior

Either codesigning should be enabled by default for macos/amd64 too, or there should be a flag in zig cc to enable it.

[kubkon]

What is the precise error reported by rcodesign? Is it complaining about missing space for expanding load commands section? If so, you should pass -headerpad <size> or -headerpad_max_install_names to allow for addition of additional load commands such as code signature on x86_64. Also, no, code signing on x86_64 is optional and should not be generated by default. This is also how Apple's ld64 behaves:

$ uname -a
Darwin urahara.home 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:42:11 PST 2023; root:xnu-8792.81.3~2/RELEASE_X86_64 x86_64
$ cat empty.c
int main() { return 0; }
$ clang -c empty.c
$ ld -syslibroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk empty.o -lc
$ otool -lv a.out | grep LC_CODE_SIGNATURE
$ echo $?
1

[danielslee]

This is the error I see:

Error: insufficient room to write code signature load command

It seems to be generated here: https://github.com/indygreg/apple-platform-rs/blob/6fc832919eb89f86ac381dfb02196b8cbb3de58c/apple-codesign/src/macho.rs#L372

            if first_section.0.offset as usize - load_commands_end_offset
                >= SIZEOF_LINKEDIT_DATA_COMMAND
            {
                Ok(())
            } else {
                Err(AppleCodesignError::LoadCommandNoRoom)
            }

I tried adding -headerpad_max_install_names and it indeed does fix the issue. Thank you!

There doesn't seem to be an option called -headerpad:

error: Unknown Clang option: '-headerpad'

Clang doesn't have it either: https://clang.llvm.org/docs/ClangCommandLineReference.html#cmdoption-clang-headerpad-_max-_install-_names-arg

---

That being said, it seems that on a Mac you can use the -adhoc_codesign/-no_adhoc_codesign flags to control signing behavior -- I think that it would make sense for Zig to support these.

The flags were added to LLVM here https://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20201228/867028.html and here: https://reviews.llvm.org/D97994

From man ld on my MacBook:

     -adhoc_codesign
             Directs the linker to add an ad-hoc codesignature to the output file. The default for Apple Silicon binaries is to be ad-hoc codesigned.

     -no_adhoc_codesign
             Directs the linker to not add ad-hoc codesignature to the output file, even for Apple Silicon binaries.

But with Zig, adding -Wl,-adhoc_codesign results in:

error: unsupported linker arg: -adhoc_codesign

[alexrp]

There doesn't seem to be an option called -headerpad:

This is a linker option, so you want -Wl,-headerpad,<size>.