Page MenuHomePhabricator

[CMake] Accept ENTITLEMENTS in add_llvm_executable and llvm_codesign

Authored by sgraenitz on Nov 12 2018, 1:05 PM.



Allow code-signing with entitlements. FORCE may be used to avoid an error when replacing existing signatures.

Diff Detail


Event Timeline

sgraenitz created this revision.Nov 12 2018, 1:05 PM
sgraenitz added inline comments.Nov 12 2018, 1:20 PM
795 ↗(On Diff #173742)

Would we want to pass FORCE to add_llvm_executable conditionally?

beanz added inline comments.Nov 12 2018, 1:43 PM
795 ↗(On Diff #173742)

I'm trying to think about the situations in which we need the FORCE option. Since this is connecting as a post-build event it shouldn't be running unless the target re-generates the output, so I'm not sure I understand why we ever need it.

I did the git blame walk back to when the code was initially added in 49dd98a03a, and there is no explanation. I suspect debugserver doesn't actually need the --force option because the author of the initial patch probably hit errors when re-signing the pre-built binary in his build directory.


sgraenitz added inline comments.Nov 13 2018, 3:12 AM
795 ↗(On Diff #173742)

I think you are right, it shouldn't be necessary. In practice, though, I can imagine situations when we want to make sure this won't fail in any case.

The options are: remove entirely (most correct) OR allow enable per target (most flexible) OR allow enable globally.

What about the last one? I could add LLVM_CODESIGNING_FORCE which is OFF by default. In failsafe/debugging situations it could be turned ON globally. I could remove the FORCE parameter here and check the flag in llvm_codesign (similar to LLVM_CODESIGNING_IDENTITY).

sgraenitz updated this revision to Diff 173851.Nov 13 2018, 7:20 AM

Remove FORCE parameter from llvm_codesign and instead add global option LLVM_CODESIGNING_FORCE

sgraenitz added inline comments.Nov 13 2018, 7:23 AM
403 ↗(On Diff #173851)

Identity should be a string right?

795 ↗(On Diff #173742)

Patch updated

beanz added inline comments.Nov 13 2018, 2:19 PM
403 ↗(On Diff #173851)

Yep, makes sense.

795 ↗(On Diff #173742)

My gut is to just remove forcing entirely, and only add it back if we actually need it. Short of post-build steps being incorrectly implemented in a CMake generator, I can't imagine a situation where it would be needed.

sgraenitz updated this revision to Diff 174055.Nov 14 2018, 9:36 AM

Remove force option

Two use-cases for executables:
LLDB lldb-server
LLDB debugserver

I have no use-case for shared libraries (yet), so I didn't add ENTITLEMENTS there. Is that ok?

sgraenitz marked 5 inline comments as done.Nov 15 2018, 4:36 AM
sgraenitz marked 2 inline comments as done.

Tested on macOS and Linux with the use-cases mentioned.

beanz accepted this revision.Nov 16 2018, 9:56 AM


This revision is now accepted and ready to land.Nov 16 2018, 9:56 AM
This revision was automatically updated to reflect the committed changes.