From 1769b1f8e4fc34978b6c131b8b8ec9df846619f0 Mon Sep 17 00:00:00 2001 From: tannevaled Date: Fri, 5 Jun 2026 23:56:12 +0200 Subject: [PATCH] fix(fix-machos): force adhoc signing for virtualization/hypervisor entitlements When pantry CI has imported a Developer ID via apple-actions/import-codesign-certs, brewkit re-signs every Mach-O with that Developer ID. Some entitlements -- notably com.apple.security.virtualization and com.apple.security.hypervisor -- require either adhoc signing or a Developer ID with a matching provisioning profile. A generic Developer ID without that provisioning is rejected by macOS Virtualization.framework / hypervisor.framework at runtime (the binary launches but vz / hv calls fail). This is what caused lima's limactl to break on pkgx bottles while the Homebrew bottle worked: Homebrew adhoc-signs these binaries, brewkit was re-signing them with the Tea Inc. Developer ID, losing the entitlement. Fix: when these entitlements are present, force adhoc signing instead of using the Developer ID. Mirrors Homebrew's behavior for the same class of binaries. Continues the codesign work from #349 (which only covered the adhoc->adhoc path -- the Developer-ID->adhoc path needed this complementary guard). Refs: pkgxdev/pantry#7853 Co-Authored-By: Claude Opus 4.7 --- lib/bin/fix-machos.rb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/lib/bin/fix-machos.rb b/lib/bin/fix-machos.rb index f5e552db..c8b03803 100755 --- a/lib/bin/fix-machos.rb +++ b/lib/bin/fix-machos.rb @@ -76,6 +76,25 @@ def codesign!(filename) entitlements_xml, _, _ = Open3.capture3("codesign", "-d", "--entitlements", ":-", filename) has_entitlements = !entitlements_xml.strip.empty? + # Some entitlements (notably `com.apple.security.virtualization` and + # `com.apple.security.hypervisor`) require either adhoc signing or a + # Developer ID with a matching provisioning profile. When pantry CI + # has imported a Developer ID via `apple-actions/import-codesign-certs`, + # `signing_id` is that Developer ID — but it generally has no matching + # provisioning, so macOS Virtualization.framework / hypervisor.framework + # refuse the entitlement at runtime (the binary launches but vz / hv + # calls fail). Homebrew sidesteps this by always adhoc-signing these + # binaries. Mirror that: force adhoc when these entitlements are present. + # See pkgxdev/pantry#7853. + privileged_entitlements = %w[ + com.apple.security.virtualization + com.apple.security.hypervisor + ] + if has_entitlements and privileged_entitlements.any? { |k| entitlements_xml.include?(k) } + resign_with_entitlements!(filename, "-", entitlements_xml) + return + end + # `--preserve-metadata=flags` does NOT preserve the adhoc flag (0x2) # when re-signing — codesign treats the adhoc bit as identity-derived # rather than a preservable flag. The result is a signed-but-not-adhoc