[Lldb-commits] [PATCH] D54352: [CMake] Explicit lldb_codesign function with application in debugserver and lldb-server
sgraenitz abandoned this revision. sgraenitz added a comment. Finally, debugserver with llvm_codesign: https://reviews.llvm.org/D54476 https://reviews.llvm.org/D54352 ___ lldb-commits mailing list lldb-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
[Lldb-commits] [PATCH] D54352: [CMake] Explicit lldb_codesign function with application in debugserver and lldb-server
sgraenitz added a comment. Please find the alternative proposal in https://reviews.llvm.org/D54443 (llvm) and https://reviews.llvm.org/D5 (lldb). https://reviews.llvm.org/D54352 ___ lldb-commits mailing list lldb-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
[Lldb-commits] [PATCH] D54352: [CMake] Explicit lldb_codesign function with application in debugserver and lldb-server
sgraenitz added a comment. Ok, I will have a look and prepare a draft. https://reviews.llvm.org/D54352 ___ lldb-commits mailing list lldb-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
[Lldb-commits] [PATCH] D54352: [CMake] Explicit lldb_codesign function with application in debugserver and lldb-server
beanz added a comment. I can certainly foresee other LLVM-based projects needing entitlements, so I am very much in favor of adding `ENTITLEMENTS` and `FORCE` options onto `llvm_codesign`. https://reviews.llvm.org/D54352 ___ lldb-commits mailing list lldb-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
[Lldb-commits] [PATCH] D54352: [CMake] Explicit lldb_codesign function with application in debugserver and lldb-server
sgraenitz added a comment.
Yes, considered it, but was not sure whether it's a good idea to bloat the
general mechanism in LLVM to match the requirements for a single subproject. Do
you think other projects would benefit from it?
My reasoning was: Passing through target-specific parameters to llvm_codesign
is not simple as it runs "implicitly" as part of add_llvm_executable/library.
In order to align with its current approach, entitlements had to be set in a
global variable (like LLVM_CODESIGNING_IDENTITY) beforehand. Furthermore, we
want to avoid entitlements to be used for yet another target, so we had to
unset it afterwards. The conditions that determine the correct entitlements for
each situation seem to be complicated already. Not sure if that's a good
combination.
OTOH, if we are in favour of a unified implementation, it would be great to
encapsulate the details and write something like:
add_lldb_tool(target
${sources}
LINK_LIBS
${libs}
ENTITLEMENTS
${entitlements}
)
I think this would still require quite some additions to llvm_codesign. I went
with the simpler version for now. What do you think?
https://reviews.llvm.org/D54352
___
lldb-commits mailing list
lldb-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
[Lldb-commits] [PATCH] D54352: [CMake] Explicit lldb_codesign function with application in debugserver and lldb-server
beanz added a comment. Why not just add entitlement support to ‘llvm_codesign’? Or feed through extra arguments? https://reviews.llvm.org/D54352 ___ lldb-commits mailing list lldb-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
[Lldb-commits] [PATCH] D54352: [CMake] Explicit lldb_codesign function with application in debugserver and lldb-server
sgraenitz added a comment. This would soon be used for other targets as well. llvm_codesign is here: https://reviews.llvm.org/D48797 Comment at: cmake/modules/AddLLDB.cmake:212 + set(pass_force "--force") +endif() + So far `--force` was used everywhere to avoid trouble with double signing I guess (turns the error into a warning). IIUC this should never happen for a post-build action right? Thus, the "more correct" way may be to remove this from invocations/altogether and go fix the actual issue if it ever fails. But then I think, who wants to bother with double code signing issues.. Anyway, llvm_codesign doesn't force. Any good reason to keep it? https://reviews.llvm.org/D54352 ___ lldb-commits mailing list lldb-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
[Lldb-commits] [PATCH] D54352: [CMake] Explicit lldb_codesign function with application in debugserver and lldb-server
sgraenitz created this revision.
sgraenitz added reviewers: beanz, bogner, lanza, friss.
Herald added a subscriber: mgorny.
Add LLDB-specific utility function lldb_codesign. In contrast to llvm_codesign
it must be invoked explicitly and allows to pass a target-specific entitlements
file as well as an override for the codesign identity.
https://reviews.llvm.org/D54352
Files:
CMakeLists.txt
cmake/modules/AddLLDB.cmake
tools/debugserver/CMakeLists.txt
tools/debugserver/source/CMakeLists.txt
tools/lldb-server/CMakeLists.txt
Index: tools/lldb-server/CMakeLists.txt
===
--- tools/lldb-server/CMakeLists.txt
+++ tools/lldb-server/CMakeLists.txt
@@ -64,3 +64,11 @@
)
target_link_libraries(lldb-server PRIVATE ${LLDB_SYSTEM_LIBS})
+
+if(APPLE)
+ if(NOT IOS)
+set(entitlements ${LLDB_SOURCE_DIR}/resources/debugserver-macosx-entitlements.plist)
+ endif()
+
+ lldb_codesign(TARGETS lldb-server ENTITLE ${entitlements} FORCE)
+endif()
Index: tools/debugserver/source/CMakeLists.txt
===
--- tools/debugserver/source/CMakeLists.txt
+++ tools/debugserver/source/CMakeLists.txt
@@ -206,16 +206,6 @@
)
endif()
-set(entitlements_xml ${CMAKE_CURRENT_SOURCE_DIR}/debugserver-macosx-entitlements.plist)
-if(IOS)
- set(entitlements_xml ${CMAKE_CURRENT_SOURCE_DIR}/debugserver-entitlements.plist)
-else()
- set(entitlements_xml ${CMAKE_CURRENT_SOURCE_DIR}/../../../resources/debugserver-macosx-entitlements.plist)
-endif()
-
-set(LLDB_USE_ENTITLEMENTS_Default On)
-option(LLDB_USE_ENTITLEMENTS "Use entitlements when codesigning (Defaults Off when using lldb_codesign identity, otherwise On)" ${LLDB_USE_ENTITLEMENTS_Default})
-
if (SKIP_DEBUGSERVER)
if (CMAKE_HOST_APPLE)
# If we haven't built a signed debugserver, copy the one from the system.
@@ -225,32 +215,16 @@
COMMENT "Copying the system debugserver to LLDB's binaries directory.")
endif()
else()
- if(LLDB_USE_ENTITLEMENTS)
-set(entitlements_flags --entitlements ${entitlements_xml})
- endif()
- execute_process(
-COMMAND xcrun -f codesign_allocate
-OUTPUT_STRIP_TRAILING_WHITESPACE
-OUTPUT_VARIABLE CODESIGN_ALLOCATE
-)
- add_custom_command(TARGET debugserver
-POST_BUILD
-COMMAND ${CMAKE_COMMAND} -E env CODESIGN_ALLOCATE=${CODESIGN_ALLOCATE}
-codesign --force --sign ${LLDB_CODESIGN_IDENTITY}
-${entitlements_flags}
-$
- )
- if(IOS)
-add_custom_command(TARGET debugserver-nonui
- POST_BUILD
- COMMAND ${CMAKE_COMMAND} -E env CODESIGN_ALLOCATE=${CODESIGN_ALLOCATE}
- codesign --force --sign ${LLDB_CODESIGN_IDENTITY}
- ${entitlements_flags}
- $
-)
+ if(APPLE)
+if(IOS)
+ set(entitlements ${CMAKE_CURRENT_SOURCE_DIR}/debugserver-entitlements.plist)
+ set(targets debugserver debugserver-nonui)
+else()
+ # Same entitlements file used for lldb-server
+ set(entitlements ${LLDB_SOURCE_DIR}/resources/debugserver-macosx-entitlements.plist)
+ set(targets debugserver)
+endif()
+
+lldb_codesign(TARGETS ${targets} ENTITLE ${entitlements} FORCE)
endif()
endif()
-
-
-
-
Index: tools/debugserver/CMakeLists.txt
===
--- tools/debugserver/CMakeLists.txt
+++ tools/debugserver/CMakeLists.txt
@@ -3,6 +3,8 @@
project(Debugserver LANGUAGES C CXX ASM-ATT)
if (CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
+ option(LLDB_USE_ENTITLEMENTS "When codesigning use entitlements if available" ON)
+
set(CMAKE_MODULE_PATH
${CMAKE_MODULE_PATH}
"${CMAKE_SOURCE_DIR}/../../cmake"
Index: cmake/modules/AddLLDB.cmake
===
--- cmake/modules/AddLLDB.cmake
+++ cmake/modules/AddLLDB.cmake
@@ -177,3 +177,61 @@
# Now set them onto the target.
set_target_properties(${target_name} PROPERTIES LINK_FLAGS ${new_link_flags})
endfunction()
+
+# Usage: lldb_codesign(TARGETS t1 t2 [ENTITLE file] [IDENTITY override] [FORCE])
+#
+# In contrast to the LLVM implementation, this function must be invoked
+# explicitly for all targets that need code signing.
+#
+# IDENTITY defaults to LLDB_CODESIGN_IDENTITY. Code signing is skipped if it's
+# empty and no override passed. ENTITLE specifies the entitlements file to use
+# if LLDB_USE_ENTITLEMENTS is set. FORCE causes codesign to replace existing
+# signatures.
+#
+function(lldb_codesign)
+ cmake_parse_arguments(ARG "FORCE" "ENTITLE;IDENTITY" "TARGETS" ${ARGN})
+
+ if(ARG_IDENTITY)
+set(pass_identity --sign ${ARG_IDENTITY})
+ elseif(LLDB_CODESIGN_IDENTITY)
+set(pass_identity --sign ${LLDB_CODESIGN_IDENTITY})
+ endif()
+
+ if(NOT pass_identity)
+message(WARNING "Skip code signing for ${ARG_TARGETS} due to missing identity")
+return()
+ endif()
+
+ if(APPLE)
+if(LLDB_USE_ENTITLEMENTS AND
