From 5ac2f4ee4d61e787f05a1ddf36d02199312e5ac6 Mon Sep 17 00:00:00 2001 From: voidborne-d Date: Tue, 14 Apr 2026 22:55:01 +0000 Subject: [PATCH] fix: ad-hoc codesign compiled binaries on Apple Silicon after build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On some Apple Silicon machines, Bun's --compile produces a corrupt or linker-only code signature. macOS kills these binaries with SIGKILL (exit 137, zsh: killed) before they execute a single instruction. Add a post-build codesign step to setup that runs only on Darwin arm64: 1. Remove the corrupt/linker-only signature (required — a direct re-sign fails with 'invalid or unsupported format for signature') 2. Apply a fresh ad-hoc signature The step is idempotent, costs <1s, and is what Bun's own docs recommend for distributed standalone executables. All four compiled binaries are covered: browse, find-browse, design, and gstack-global-discover. Failure is a non-fatal warning so Intel/CI builds are unaffected. Fixes #997 --- setup | 17 ++++++++ test/setup-codesign.test.ts | 77 +++++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 test/setup-codesign.test.ts diff --git a/setup b/setup index 7e30bc39..2756d2bc 100755 --- a/setup +++ b/setup @@ -243,6 +243,23 @@ if [ "$NEEDS_BUILD" -eq 1 ]; then if [ ! -f "$SOURCE_GSTACK_DIR/browse/dist/.version" ]; then git -C "$SOURCE_GSTACK_DIR" rev-parse HEAD > "$SOURCE_GSTACK_DIR/browse/dist/.version" 2>/dev/null || true fi + + # macOS Apple Silicon: ad-hoc codesign compiled binaries. + # Bun's --compile can produce a corrupt or linker-only code signature that + # macOS kills with SIGKILL (exit 137). The two-step remove+re-sign is + # required because a naive `codesign -s - -f` fails when the existing + # signature block is corrupt. This is idempotent and costs <1s. + # See: https://github.com/garrytan/gstack/issues/997 + if [ "$(uname -s)" = "Darwin" ] && [ "$(uname -m)" = "arm64" ]; then + for _bin in browse/dist/browse browse/dist/find-browse design/dist/design bin/gstack-global-discover; do + _bin_path="$SOURCE_GSTACK_DIR/$_bin" + [ -f "$_bin_path" ] && [ -x "$_bin_path" ] || continue + codesign --remove-signature "$_bin_path" 2>/dev/null || true + if ! codesign -s - -f "$_bin_path" 2>/dev/null; then + log "warning: codesign failed for $_bin (binary may not run on Apple Silicon)" + fi + done + fi fi if [ ! -x "$BROWSE_BIN" ]; then diff --git a/test/setup-codesign.test.ts b/test/setup-codesign.test.ts new file mode 100644 index 00000000..1ac7a498 --- /dev/null +++ b/test/setup-codesign.test.ts @@ -0,0 +1,77 @@ +import { describe, test, expect } from 'bun:test'; +import { spawnSync } from 'child_process'; +import * as path from 'path'; +import * as fs from 'fs'; +import * as os from 'os'; + +const ROOT = path.resolve(import.meta.dir, '..'); +const SETUP_SCRIPT = path.join(ROOT, 'setup'); + +describe('setup: Apple Silicon codesign', () => { + test('setup script contains codesign block for Darwin arm64', () => { + const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8'); + // Verify the codesign guard checks both Darwin and arm64 + expect(content).toContain('$(uname -s)" = "Darwin"'); + expect(content).toContain('$(uname -m)" = "arm64"'); + // Verify remove-then-resign two-step pattern + expect(content).toContain('codesign --remove-signature'); + expect(content).toContain('codesign -s - -f'); + }); + + test('codesign block covers all compiled binaries', () => { + const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8'); + // Extract the binaries from the codesign for-loop + const forMatch = content.match(/for _bin in ([^;]+);/); + expect(forMatch).toBeTruthy(); + const binaries = forMatch![1].trim().split(/\s+/); + // All four compiled binaries from `bun run build` must be covered + expect(binaries).toContain('browse/dist/browse'); + expect(binaries).toContain('browse/dist/find-browse'); + expect(binaries).toContain('design/dist/design'); + expect(binaries).toContain('bin/gstack-global-discover'); + }); + + test('codesign block is inside the NEEDS_BUILD=1 branch', () => { + const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8'); + // The codesign block should appear after `bun run build` and before the + // `if [ ! -x "$BROWSE_BIN" ]` guard that checks the build succeeded. + const buildIdx = content.indexOf('bun run build'); + const codesignIdx = content.indexOf('codesign --remove-signature'); + const browseCheckIdx = content.indexOf('gstack setup failed: browse binary missing'); + expect(buildIdx).toBeGreaterThan(-1); + expect(codesignIdx).toBeGreaterThan(buildIdx); + expect(browseCheckIdx).toBeGreaterThan(codesignIdx); + }); + + test('codesign block is idempotent (skips missing binaries)', () => { + const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8'); + // The loop must guard with a file-existence + executable check before codesigning + expect(content).toContain('[ -f "$_bin_path" ] && [ -x "$_bin_path" ] || continue'); + }); + + test('codesign failure is a warning, not a fatal error', () => { + const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8'); + // On codesign failure, log a warning but don't exit + expect(content).toContain('warning: codesign failed for'); + // Should NOT have `set -e` causing exit on codesign failure + // (the `|| true` after --remove-signature and the if-guard around -s - -f handle this) + expect(content).toContain('codesign --remove-signature "$_bin_path" 2>/dev/null || true'); + }); + + test('codesign shell snippet is syntactically valid', () => { + // Extract the codesign block and validate it parses as bash + const content = fs.readFileSync(SETUP_SCRIPT, 'utf-8'); + const match = content.match( + /# macOS Apple Silicon: ad-hoc codesign[\s\S]*?done\n\s*fi/ + ); + expect(match).toBeTruthy(); + const snippet = match![0]; + // Wrap in a function to make it a complete script, then syntax-check + const testScript = `#!/usr/bin/env bash\nset -e\n_test_fn() {\n${snippet}\n}\n`; + const result = spawnSync('bash', ['-n', '-c', testScript], { + stdio: ['pipe', 'pipe', 'pipe'], + timeout: 5000, + }); + expect(result.status).toBe(0); + }); +});