Page MenuHomePhabricator

[CMake] llvm_codesign workaround for Xcode double-signing errors

Authored by sgraenitz on Nov 30 2018, 4:06 AM.



When using Xcode to build LLVM with code signing, the post-build rule is executed even if the actual build-step was skipped. This causes double-signing errors. We can currently only avoid it by passing the --force flag.

Plus some polishing for my previous patch D54443.

Diff Detail


Event Timeline

sgraenitz created this revision.Nov 30 2018, 4:06 AM

One more note here about the --force parameter (which we shortly discussed in D54443): When using Xcode for testing multi-config generators, I run into double signing issues. I didn't investigate in detail yet, but I am slightly in favor of hardcoding it in the codesign invocation now.
Is it possible that Xcode runs PostBuild even if it did not actually regenerate the binary? With Ninja all goes well.

Link /path/to/xcode/RelWithDebInfo/bin/llvm-tblgen
Run custom shell script 'CMake PostBuild Rules'
  xcrun dsymutil /path/to/xcode/RelWithDebInfo/bin/llvm-tblgen
  warning: no debug symbols in executable (-arch x86_64)
  /.../usr/bin/strip -Sxl /path/to/xcode/RelWithDebInfo/bin/llvm-tblgen
  /.../usr/bin/strip: changes being made to the file will invalidate the code signature in: /path/to/xcode/RelWithDebInfo/bin/llvm-tblgen
  /.../usr/local/bin/cmake -E env CODESIGN_ALLOCATE=/.../usr/bin/codesign_allocate xcrun codesign -s lldb_codesign /path/to/xcode/RelWithDebInfo/bin/llvm-tblgen /path/to/xcode/RelWithDebInfo/bin/llvm-tblgen: is already signed
  make: *** [llvm-tblgen_buildpart_1] Error 1
  Command /bin/sh failed with exit code 2
sgraenitz updated this revision to Diff 176844.Dec 5 2018, 9:20 AM

Add --force parameter

sgraenitz updated this revision to Diff 177874.Dec 12 2018, 9:51 AM

Add --force flag when using the Xcode generator to avoid double-signing errors

sgraenitz retitled this revision from [CMake] llvm_codesign polishing to [CMake] llvm_codesign workaround for Xcode double-signing errors.Dec 12 2018, 10:07 AM
sgraenitz edited the summary of this revision. (Show Details)
sgraenitz added a reviewer: kubamracek.
sgraenitz added a subscriber: Restricted Project.
kubamracek accepted this revision.Dec 12 2018, 11:29 AM

I'd slightly prefer to use --force for *all* builds, not just Xcode builds, to have uniformity. But LGTM even in this form if you feel strongly about it.

This revision is now accepted and ready to land.Dec 12 2018, 11:29 AM

Ninja builds work well without it. In order to catch actual double-signing problems here, I would prefer to pass it only in case of Xcode generator.

This revision was automatically updated to reflect the committed changes.
beanz added a comment.Dec 13 2018, 4:55 PM

Sorry for being behind on this, but I don't think this is the right solution to the problem.

I don't think we should ever pass --force. To avoid duplicate code signing when using the Xcode generator we should set the XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY target property so that Xcode actually knows what signing identity to use and can properly build the target.

Fair enough. Will create a ticket for it. At least this works for now.