This is an archive of the discontinued LLVM Phabricator instance.

Differential D63745

[CMake] Check that a certificate for lldb is present at build time.
ClosedPublic

Authored by davide on Jun 24 2019, 4:46 PM.

Details

Reviewers
JDevlieghere
sgraenitz
aprantl
friss
Commits
rG97017a8ef9c9: [CMake] Check that a certificate for lldb is present at build time.
rL364334: [CMake] Check that a certificate for lldb is present at build time.
rLLDB364334: [CMake] Check that a certificate for lldb is present at build time.

Diff Detail

Event Timeline

davide created this revision.Jun 24 2019, 4:46 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 24 2019, 4:46 PM
Herald added a subscriber: mgorny. · View Herald Transcript
Harbormaster completed remote builds in B33841: Diff 206330.Jun 24 2019, 4:46 PM
JDevlieghere accepted this revision.Jun 24 2019, 4:46 PM

LGTM

This revision is now accepted and ready to land.Jun 24 2019, 4:46 PM
davide added a comment.Jun 24 2019, 4:48 PM

rdar://problem/52078735

JDevlieghere requested changes to this revision.Jun 24 2019, 5:52 PM

On second thought, let's check that LLDB_CODESIGN_IDENTITY equals lldb_codesign before doing this check.

This revision now requires changes to proceed.Jun 24 2019, 5:52 PM
labath added a subscriber: labath.Jun 24 2019, 11:42 PM

This code should go to tools/debugserver/source/CMakeLists.txt so that it is next to the code which performs the actual code signing. Doing that will make it easier to keep it in sync with changes to code signing, as well as make it obvious that it is not in sync with them right now (there's a pretty complex interaction of various cmake options (LLDB_CODESIGN_IDENTITY, LLVM_CODESIGNING_IDENTITY, LLDB_USE_SYSTEM_DEBUGSERVER, etc.) which affects code signing, and this code is ignoring all of those)...

xiaobai added a subscriber: xiaobai.Jun 24 2019, 11:46 PM
In D63745#1556773, @JDevlieghere wrote:

On second thought, let's check that LLDB_CODESIGN_IDENTITY equals lldb_codesign before doing this check.

This question isn't important but I'm kind of curious: Does it have to be called lldb_codesign? Could you have an arbitrary identity and then sign with that, assuming the cert exists, or does debugserver expect a cert with that name exactly?

lldb/CMakeLists.txt
77 ↗(On Diff #206330)

I think CMAKE_SYSTEM_NAME MATCHES "Darwin" is redundant because debugserver should only be a target if you're running on Darwin, per the logic in tools/CMakeLists.txt.

xiaobai added a comment.Jun 24 2019, 11:47 PM
In D63745#1556941, @labath wrote:

This code should go to tools/debugserver/source/CMakeLists.txt so that it is next to the code which performs the actual code signing. Doing that will make it easier to keep it in sync with changes to code signing, as well as make it obvious that it is not in sync with them right now (there's a pretty complex interaction of various cmake options (LLDB_CODESIGN_IDENTITY, LLVM_CODESIGNING_IDENTITY, LLDB_USE_SYSTEM_DEBUGSERVER, etc.) which affects code signing, and this code is ignoring all of those)...

+1

friss added a comment.Jun 25 2019, 12:17 AM
In D63745#1556943, @xiaobai wrote:
In D63745#1556773, @JDevlieghere wrote:

On second thought, let's check that LLDB_CODESIGN_IDENTITY equals lldb_codesign before doing this check.

This question isn't important but I'm kind of curious: Does it have to be called lldb_codesign? Could you have an arbitrary identity and then sign with that, assuming the cert exists, or does debugserver expect a cert with that name exactly?

The name doesn't matter.

sgraenitz added a comment.Jun 25 2019, 5:35 AM

In D63745#1556941, @labath wrote:
This code should go to tools/debugserver/source/CMakeLists.txt

+1

More precisely, this is the condition where you want to do your check:
https://github.com/llvm/llvm-project/blob/287f0403e310/lldb/tools/debugserver/source/CMakeLists.txt#L131

You don't need if(CMAKE_SYSTEM_NAME MATCHES "Darwin" AND TARGET debugserver) there.
Use ${LLDB_CODESIGN_IDENTITY_USED} instead of lldb_codesign.
Error message could recommend -DLLDB_USE_SYSTEM_DEBUGSERVER=ON and/or -DLLDB_NO_DEBUGSERVER=ON

davide added a comment.Jun 25 2019, 7:38 AM
In D63745#1556941, @labath wrote:

This code should go to tools/debugserver/source/CMakeLists.txt so that it is next to the code which performs the actual code signing. Doing that will make it easier to keep it in sync with changes to code signing, as well as make it obvious that it is not in sync with them right now (there's a pretty complex interaction of various cmake options (LLDB_CODESIGN_IDENTITY, LLVM_CODESIGNING_IDENTITY, LLDB_USE_SYSTEM_DEBUGSERVER, etc.) which affects code signing, and this code is ignoring all of those)...

New patch coming, thanks!

davide updated this revision to Diff 206475.Jun 25 2019, 9:55 AM

Address feedback from many.

Harbormaster completed remote builds in B33892: Diff 206475.Jun 25 2019, 9:57 AM
sgraenitz added a comment.Jun 25 2019, 10:01 AM

LGTM

This revision was not accepted when it landed; it landed in state Needs Review.Jun 25 2019, 10:13 AM
Closed by commit rL364334: [CMake] Check that a certificate for lldb is present at build time. (authored by davide). · Explain Why
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptJun 25 2019, 10:13 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

PathSize
lldb/
tools/
debugserver/
source/
15 lines

Diff 206475

lldb/tools/debugserver/source/CMakeLists.txt

Show First 20 LinesShow All 136 Lines▼ Show 20 Lines
else() else()
# No tests for debugserver, no tests that require it. # No tests for debugserver, no tests that require it.
set(DEBUGSERVER_PATH "" CACHE FILEPATH "" FORCE) set(DEBUGSERVER_PATH "" CACHE FILEPATH "" FORCE)
set(SKIP_TEST_DEBUGSERVER ON CACHE BOOL "" FORCE) set(SKIP_TEST_DEBUGSERVER ON CACHE BOOL "" FORCE)
message(STATUS "lldb debugserver will not be available.") message(STATUS "lldb debugserver will not be available.")
endif() endif()
# On MacOS, debugserver needs to be codesigned when built. Check if we have
# a certificate instead of failing in the middle of the build.
if(build_and_sign_debugserver)
execute_process(
COMMAND security find-certificate -Z -p -c ${LLDB_CODESIGN_IDENTITY_USED} /Library/Keychains/System.keychain
RESULT_VARIABLE cert_return
OUTPUT_QUIET
ERROR_QUIET)
if (cert_return)
message(FATAL_ERROR "Certificate for debugserver not found. Run scripts/macos-setup-codesign.sh or "
"use the system debugserver passing -DLLDB_USE_SYSTEM_DEBUGSERVER=ON to CMake")
endif()
endif()
if(APPLE) if(APPLE)
if(IOS) if(IOS)
find_library(BACKBOARD_LIBRARY BackBoardServices find_library(BACKBOARD_LIBRARY BackBoardServices
PATHS ${CMAKE_OSX_SYSROOT}/System/Library/PrivateFrameworks) PATHS ${CMAKE_OSX_SYSROOT}/System/Library/PrivateFrameworks)
find_library(FRONTBOARD_LIBRARY FrontBoardServices find_library(FRONTBOARD_LIBRARY FrontBoardServices
PATHS ${CMAKE_OSX_SYSROOT}/System/Library/PrivateFrameworks) PATHS ${CMAKE_OSX_SYSROOT}/System/Library/PrivateFrameworks)
find_library(SPRINGBOARD_LIBRARY SpringBoardServices find_library(SPRINGBOARD_LIBRARY SpringBoardServices
PATHS ${CMAKE_OSX_SYSROOT}/System/Library/PrivateFrameworks) PATHS ${CMAKE_OSX_SYSROOT}/System/Library/PrivateFrameworks)
▲ Show 20 LinesShow All 162 LinesShow Last 20 Lines