3.5.0-alpha1: Can't build without codesign on macOS

[anmonteiro]

Expected Behavior

Able to build Dune 3.5.0-alpha1 on macOS + Nixpkgs

Actual Behavior

dune> File "_unknown_", line 1, characters 0-0:
dune> Error: Program codesign not found in the tree or in PATH
dune> Hint: codesign should be part of the macOS installation

I tried adding darwin.sigtool but I believe it brings up a password prompt that nix doesn't like.

Reproduction

• PR with a reproducing test:

Specifications

• Version of dune (output of dune --version):
• Version of ocaml (output of ocamlc --version)
• Operating system (distribution and version):

Additional information

• Link to gist with verbose output (run dune with the --verbose flag):

[emillon]

Hi! Happy that you could find that before the release. I thought that any macos that enforces signing would provide codesign. To confirm - is this a M1 mac? Which version of macos is this? Can you post the output of ocaml -config? Thanks!

[anmonteiro]

This is an m1 mac.

Nix is a hermetic build system which clears the PATH before building, so codesign isn't available, or, when it is, it requires an interactive password prompt which nix doesn't like.

Rudi suggested using a heuristic to detect whether it's a Nix environment, and disable this feature in Dune. I believe Nix already has an automatic signing hook to sign binaries.

These environment variables were available in a random Nix build I tried:

NIX_BUILD_CORES
NIX_PKG_CONFIG_WRAPPER_TARGET_HOST_aarch64_apple_darwin
NIX_ENFORCE_NO_NATIVE
NIX_BINTOOLS
NIX_DONT_SET_RPATH
NIX_SSL_CERT_FILE
NIX_STORE
NIX_ENFORCE_PURITY
NIX_LOG_FD
NIX_DONT_SET_RPATH_FOR_BUILD
NIX_NO_SELF_RPATH
NIX_CC_WRAPPER_TARGET_HOST_aarch64_apple_darwin
NIX_BUILD_TOP
NIX_CFLAGS_COMPILE
NIX_IGNORE_LD_THROUGH_GCC
NIX_CC
NIX_BINTOOLS_WRAPPER_TARGET_HOST_aarch64_apple_darwin
NIX_COREFOUNDATION_RPATH
NIX_INDENT_MAKE
NIX_HARDENING_ENABLE
NIX_LDFLAGS

[emillon]

I'm afraid a bunch of these will be set for nix users even if nix is not being used in the current build (for example I use nix to install some binaries so I'm sourcing some nix stuff, but I don't use nix to build ocaml code). Maybe some of them are only valid when building.
2 ideas for alternatives:

• we could check if a binary is correctly signed before resigning them. But as I understand it, this requires spctl which I suppose is not in PATH either.
• we could not call codesign when it's not in the PATH. Sounds a bit dangerous but might be good enough in practice.

[anmonteiro]

I don't believe that's the case. I also use a nix profile, and my environment only has these:

$ env | grep NIX_ | awk -F "=" '{print $1}'
NIX_PROFILES
NIX_SSL_CERT_FILE

[anmonteiro]

we could not call codesign when it's not in the PATH. Sounds a bit dangerous but might be good enough in practice.

perhaps along with a warning that says it tried to invoke codesign and failed.

[emillon]

Something we could also use is to call codesign only when some substitutions have been performed. That wouldn't solve the problem of supporting substitutions on mac+nix, but at least we'd avoid a regression.

[rgrinberg]

Another possibility: we could also introduce an env var to disable the code signing. This could be used by nix functions such buildDunePackage that could set this variable.

[emillon]

I tried on my Debian system where I installed nix and I have NIX_PATH, NIX_PROFILES, and NIX_SSL_CERT_FILE. I'll try to implement the "codesign only if substitutions happened" technique, and otherwise we can try to skip codesign if it's not in path and some nix env var is set. But I don't like that too much, since we're just delaying the problem (we'll probably need to support the case where substitution happens, and codesign (or something else) needs to be provided by nix.