Avoid performing Apple codesign on extensions #11652
Merged
+0
−11
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We have our own signing mechanism, and they conflict making the Apple signature invalid
|
Thanks! |
github-actions bot
pushed a commit
to duckdb/duckdb-r
that referenced
this pull request
Apr 15, 2024
Merge pull request duckdb/duckdb#11645 from wangxiaoying/ec0 Merge pull request duckdb/duckdb#11652 from carlopi/no_macos_codesign_extensions
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We have our own signing mechanism, and they conflict making the Apple signature invalid
Until a few days ago, for nightly or releases extensions, we built the binary, codesigned, then applied our signature on top (making the Apple signature not valid anymore).
With the extension metadata rework, we applied our own signature as part of cmake, and this breaks the preconditions of Apple codesigning.
Even if that would be solved, we still modify the binary afterwards.
And another connected problem: codesigning was performed only for extensions built directly by duckdb/duckdb workflows, and not for out-out-tree ones (then possibly updated to extensions.duckdb.org).
All consider, I think the proper solution is just removing the codesigning step on extensions. To be reviewed whether it makes sense and can be introduced everywhere.