Codesign macOS executable created pp

--000000000000b0d03005865c1196
Content-Type: text/plain; charset="UTF-8"

Hello,

I need some help with the following issue. I need to codesign my macOS .app
containing an executable created with pp. Unfortunately code signing fails
with the error 'main executable failed strict validation'

The .app contains many files (even other binaries) and code signing works
without problems if the executable generated with pp is taken out. So the
issue must be with this very executable. (I also use the option --deep to
allow code signing of any nested file).

I found this
https://stackoverflow.com/questions/28863500/code-signing-in-mac-with-perl-scripts-compiled-with-parpacker-fails
but I am not sure if it has to do with pp and, furthermore, there is not a
complete solution.

So, any help in solving this issue would be very much appreciated.

Welle

--000000000000b0d03005865c1196
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr">Hello,<=
div><br></div><div>I need some help with the following issue. I need to cod=
esign my macOS .app containing an executable created with pp. Unfortunately=
 code signing fails with the error &#39;main executable failed strict valid=
ation&#39;</div><div><br></div><div>The .app contains many files (even othe=
r binaries) and code signing works without problems=C2=A0if the executable =
generated with pp is taken out. So the issue must be with this very executa=
ble. (I also use the option --deep to allow code signing of any nested file=
).</div><div><br></div><div>I found this=C2=A0<a href=3D"https://stackoverf=
low.com/questions/28863500/code-signing-in-mac-with-perl-scripts-compiled-w=
ith-parpacker-fails">https://stackoverflow.com/questions/28863500/code-sign=
ing-in-mac-with-perl-scripts-compiled-with-parpacker-fails</a> but I am not=
 sure if it has to do with pp and, furthermore, there is not a complete sol=
ution.</div><div><br></div><div>So, any help in solving this issue would be=
 very much appreciated.=C2=A0</div><div><br></div><div>Welle</div></div></d=
iv></div></div>

--000000000000b0d03005865c1196--
0
par
4/12/2019 9:34:24 PM
perl.par 1165 articles. 0 followers. Follow

1 Replies
4 Views

Similar Articles

[PageSpeed] 31

--000000000000b6cf1a05866c1e26
Content-Type: text/plain; charset="UTF-8"

On Fri, Apr 12, 2019 at 11:34 PM welle Ozean via par <par@perl.org> wrote:

> I need some help with the following issue. I need to codesign my macOS
> .app containing an executable created with pp. Unfortunately code signing
> fails with the error 'main executable failed strict validation'
>

It's helpful to know what an executable created by pp is made up of:

   1. an actual executable (it's the same for any executable created by pp)
   2. a zip file contaning Perl modules, scripts, DLLs, data etc
   3. other stuff, e.g. a bunch of essential Perl modules (not in the zip),
   a SHA1 and the PAR "signature" "\nPAR.pm\n"

These parts are simply concatenated. Note that the extra stuff in 2 and 3
is not reflected in the (Mach-O, ELF etc depending on the OS) headers of
the actual executable.
One can easily demonstrate this by running the pp created executable thru
"strip" - this removes parts 2 and 3, rendering the result a valid
executable, but no longer working for PAR.

I found this
> https://stackoverflow.com/questions/28863500/code-signing-in-mac-with-perl-scripts-compiled-with-parpacker-fails
> but I am not sure if it has to do with pp and, furthermore, there is not a
> complete solution.
>

It's conceivable that one can write a program to manipulate the Mach-O
headers of the executabe so that parts 2 and 3 become "legitimate" sections
of the executable. I don't know whether the Python script mentioned in the
stackoverflow achieves that. Note that the problem - that the PAR signature
has to  be the last thing in the executable - has since been relaxed, it
will be searched for in the last 128 kB of the executable, so appending
stuff (e.g. the "codesign" signature) should be safe.

Cheers, Roderich

--000000000000b6cf1a05866c1e26
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div>On Fri, Apr 12, 2019 at 11:34 P=
M welle Ozean via par &lt;<a href=3D"mailto:par@perl.org">par@perl.org</a>&=
gt; wrote:<br><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pa=
dding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=
=3D"ltr">I need some help with the following issue. I need to codesign my m=
acOS .app containing an executable created with pp. Unfortunately code sign=
ing fails with the error &#39;main executable failed strict validation&#39;=
</div></div></div></div></blockquote><div><br></div><div>It&#39;s helpful t=
o know what an executable created by pp is made up of:</div><div><ol><li>an=
 actual executable (it&#39;s the same for any executable created by pp)</li=
><li>a zip file contaning Perl modules, scripts, DLLs, data etc</li><li>oth=
er stuff, e.g. a bunch of essential Perl modules (not in the zip), a SHA1 a=
nd the PAR &quot;signature&quot; &quot;\nPAR.pm\n&quot;<br></li></ol></div>=
<div>These parts are simply concatenated. Note that the extra stuff in 2 an=
d 3 is not reflected in the (Mach-O, ELF etc depending on the OS) headers o=
f the actual executable.</div><div>One can easily demonstrate this by runni=
ng the pp created executable thru &quot;strip&quot; - this removes parts 2 =
and 3, rendering the result a valid executable, but no longer working for P=
AR.<br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e=
x"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr">I fo=
und this=C2=A0<a href=3D"https://stackoverflow.com/questions/28863500/code-=
signing-in-mac-with-perl-scripts-compiled-with-parpacker-fails" target=3D"_=
blank">https://stackoverflow.com/questions/28863500/code-signing-in-mac-wit=
h-perl-scripts-compiled-with-parpacker-fails</a> but I am not sure if it ha=
s to do with pp and, furthermore, there is not a complete solution.</div></=
div></div></div></blockquote><div><br></div><div>It&#39;s conceivable that =
one can write a program to manipulate the Mach-O headers of the executabe s=
o that parts 2 and 3 become &quot;legitimate&quot; sections of the executab=
le. I don&#39;t know whether the Python script mentioned in the stackoverfl=
ow achieves that. Note that the problem - that the PAR signature has to=C2=
=A0 be the last thing in the executable - has since been relaxed, it will b=
e searched for in the last 128 kB of the executable, so appending stuff (e.=
g. the &quot;codesign&quot; signature) should be safe.</div><div><br></div>=
<div>Cheers, Roderich<br></div><div><br></div><div><br></div></div></div>

--000000000000b6cf1a05866c1e26--
0
roderich
4/13/2019 4:43:21 PM
Reply: