Sign Mach-O binaries in _internal directory of conda-standalone (#1159)

* Add function to detect whether file is Mach-O

* Sign all Mach-O binaries in _internal directory

* Add tests

* Add news

* Use correct location of internal directory in test

* Skip redundant is_dir check before glob

Author: marcoesters

constructor/osxpkg.py

@@ -38,6 +38,25 @@
 logger = logging.getLogger(__name__)
 
 
+# Mach-O binaries start with magic bytes.
+# Definitions:
+#   * https://github.com/apple-oss-distributions/xnu/blob/main/EXTERNAL_HEADERS/mach-o/loader.h
+#   * https://github.com/apple-oss-distributions/xnu/blob/main/EXTERNAL_HEADERS/mach-o/fat.h
+# For now, only include little-endian 64-bit and fat binaries
+MACHO_MAGIC_BYTES = (
+    b"\xcf\xfa\xed\xfe",  # 64-bit
+    b"\xbe\xba\xfe\xca",  # universal binary
+)
+
+
+def is_macho_binary(file: Path) -> bool:
+    if not file.is_file():
+        return False
+    with file.open(mode="rb") as f:
+        magic = f.read(4)
+    return magic in MACHO_MAGIC_BYTES
+
+
 def calculate_install_dir(yaml_file, subdir=None):
     contents = parse(yaml_file, subdir or conda_context.subdir)
     if contents.get("installer_type") == "sh":
@@ -88,6 +107,24 @@ def _detect_mimetype(path: str):
     return "text/plain"
 
 
+def sign_standalone_binary(
+    exe_path: Path,
+    codesigner: CodeSign,
+):
+    entitlements = {
+        "com.apple.security.cs.allow-jit": True,
+        "com.apple.security.cs.allow-unsigned-executable-memory": True,
+        "com.apple.security.cs.disable-executable-page-protection": True,
+        "com.apple.security.cs.disable-library-validation": True,
+        "com.apple.security.cs.allow-dyld-environment-variables": True,
+    }
+    codesigner.sign_bundle(exe_path, entitlements=entitlements)
+    internal_dir = exe_path.parent / "_internal"
+    for file in internal_dir.glob("**"):
+        if is_macho_binary(file):
+            codesigner.sign_bundle(file, entitlements=entitlements)
+
+
 def modify_xml(xml_path, info):
     # See
     # http://developer.apple.com/library/mac/#documentation/DeveloperTools/Reference/DistributionDefinitionRef/Chapters/Distribution_XML_Ref.html#//apple_ref/doc/uid/TP40005370-CH100-SW20
@@ -449,16 +486,16 @@ def pkgbuild_prepare_installation(info):
         shutil.rmtree(f"{pkg}.expanded")
 
 
-def create_plugins(pages: list = None, codesigner: CodeSign = None):
-    def _build_xcode_projects(xcodeporj_dirs: list[Path]):
+def create_plugins(pages: list[str] | str | None = None, codesigner: CodeSign | None = None):
+    def _build_xcode_projects(xcodeproj_dirs: list[Path]):
         xcodebuild = shutil.which("xcodebuild")
         if not xcodebuild:
             raise RuntimeError(
                 "Plugin directory contains an uncompiled project, but xcodebuild is not available."
             )
         try:
             subprocess.run([xcodebuild, "--help"], check=True, capture_output=True)
-        except subprocess.CalledSubprocessError:
+        except subprocess.CalledProcessError:
             raise RuntimeError(
                 "Plugin directory contains an uncompiled project, "
                 "but xcodebuild requires XCode to compile plugins."
@@ -608,14 +645,7 @@ def create(info, verbose=False):
         codesigner = CodeSign(
             notarization_identity_name, prefix=info.get("reverse_domain_identifier", info["name"])
         )
-        entitlements = {
-            "com.apple.security.cs.allow-jit": True,
-            "com.apple.security.cs.allow-unsigned-executable-memory": True,
-            "com.apple.security.cs.disable-executable-page-protection": True,
-            "com.apple.security.cs.disable-library-validation": True,
-            "com.apple.security.cs.allow-dyld-environment-variables": True,
-        }
-        codesigner.sign_bundle(join(prefix, exe_name), entitlements=entitlements)
+        sign_standalone_binary(Path(prefix, exe_name), codesigner)
 
     # This script checks to see if the install location already exists and/or contains spaces
     # Not to be confused with the user-provided pre_install!

constructor/signing.py

@@ -228,7 +228,7 @@ def __init__(
     def get_signing_command(
         self,
         bundle: str | Path,
-        entitlements: str | Path = None,
+        entitlements: str | Path | None = None,
     ) -> list:
         command = [
             self.executable,

news/1159-macos-conda-standalone-signing

@@ -0,0 +1,19 @@
+### Enhancements
+
+* <news item>
+
+### Bug fixes
+
+* Sign all Mach-O binaries in the `_internal` directory of `conda-standalone` to pass notarization. (#1045 via #1159)
+
+### Deprecations
+
+* <news item>
+
+### Docs
+
+* <news item>
+
+### Other
+
+* <news item>

tests/test_examples.py

@@ -33,7 +33,7 @@
     from collections.abc import Generator, Iterable
 
 if sys.platform == "darwin":
-    from constructor.osxpkg import calculate_install_dir
+    from constructor.osxpkg import calculate_install_dir, is_macho_binary
 elif sys.platform.startswith("win"):
     import winreg
 
@@ -709,7 +709,7 @@ def test_macos_signing(tmp_path, self_signed_application_certificate_macos):
     with open(input_path / "construct.yaml", "a") as f:
         f.write(f"notarization_identity_name: {self_signed_application_certificate_macos}\n")
     output_path = tmp_path / "output"
-    installer, install_dir = next(create_installer(input_path, output_path))
+    installer, _ = next(create_installer(input_path, output_path))
 
     # Check component signatures
     expanded_path = output_path / "expanded"
@@ -722,6 +722,10 @@ def test_macos_signing(tmp_path, self_signed_application_certificate_macos):
         Path(expanded_path, "prepare_installation.pkg", "Payload", "osx-pkg-test", conda_exe_name),
         Path(expanded_path, "Plugins", "ExtraPage.bundle"),
     ]
+    internal_dir = Path(
+        expanded_path, "prepare_installation.pkg", "Payload", "osx-pkg-test", "_internal"
+    )
+    components.extend([file for file in internal_dir.glob("**") if is_macho_binary(file)])
     validated_signatures = []
     for component in components:
         p = subprocess.run(