Allow code-signing with entitlements. FORCE may be used to avoid an error when replacing existing signatures.
Details
Diff Detail
- Repository
- rL LLVM
- Build Status
Buildable 24905 Build 24904: arc lint + arc unit
Event Timeline
cmake/modules/AddLLVM.cmake | ||
---|---|---|
795 | Would we want to pass FORCE to add_llvm_executable conditionally? |
cmake/modules/AddLLVM.cmake | ||
---|---|---|
795 | I'm trying to think about the situations in which we need the FORCE option. Since this is connecting as a post-build event it shouldn't be running unless the target re-generates the output, so I'm not sure I understand why we ever need it. I did the git blame walk back to when the code was initially added in 49dd98a03a, and there is no explanation. I suspect debugserver doesn't actually need the --force option because the author of the initial patch probably hit errors when re-signing the pre-built binary in his build directory. Thoughts? |
cmake/modules/AddLLVM.cmake | ||
---|---|---|
795 | I think you are right, it shouldn't be necessary. In practice, though, I can imagine situations when we want to make sure this won't fail in any case. The options are: remove entirely (most correct) OR allow enable per target (most flexible) OR allow enable globally. What about the last one? I could add LLVM_CODESIGNING_FORCE which is OFF by default. In failsafe/debugging situations it could be turned ON globally. I could remove the FORCE parameter here and check the flag in llvm_codesign (similar to LLVM_CODESIGNING_IDENTITY). |
Remove FORCE parameter from llvm_codesign and instead add global option LLVM_CODESIGNING_FORCE
CMakeLists.txt | ||
---|---|---|
403 ↗ | (On Diff #173851) | Yep, makes sense. |
cmake/modules/AddLLVM.cmake | ||
795 | My gut is to just remove forcing entirely, and only add it back if we actually need it. Short of post-build steps being incorrectly implemented in a CMake generator, I can't imagine a situation where it would be needed. |
Two use-cases for executables:
LLDB lldb-server https://reviews.llvm.org/D54444
LLDB debugserver https://reviews.llvm.org/D54476
I have no use-case for shared libraries (yet), so I didn't add ENTITLEMENTS there. Is that ok?
Would we want to pass FORCE to add_llvm_executable conditionally?