Commit fe1b200
committed
darwin/macos: don't explicit-codesign bundled C extensions (keep linker-signed)
strip_framework() already strips every .so/.dylib, and on arm64 they keep the
*linker-signed* adhoc signature install_name_tool/strip apply (CodeDirectory
flags 0x20002). codesign_framework() was then re-signing the .so with
`codesign -s -`, replacing that with an *explicit* adhoc signature (flags 0x2).
An explicit adhoc signature is treated as final: a downstream Xcode app build
refuses to strip it ("not stripping binary because it is signed", once per
extension) and won't re-sign it. A linker-signed signature is replaceable, so
the app build strips + re-signs the extension cleanly — exactly like a pip
wheel's .so.
Sign only the framework binary and the bundled OpenSSL dylibs; leave the
lib-dynload .so stripped + linker-signed. They're extracted into the stdlib
resource tree, so they aren't covered by the framework's own seal anyway. Result
for any consuming app (SPM or CocoaPods): no per-extension strip warnings and a
smaller app, since Xcode can finally strip + re-sign them.1 parent 69fd887 commit fe1b200
1 file changed
Lines changed: 13 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
483 | 483 | | |
484 | 484 | | |
485 | 485 | | |
486 | | - | |
487 | | - | |
488 | | - | |
489 | | - | |
| 486 | + | |
| 487 | + | |
| 488 | + | |
| 489 | + | |
| 490 | + | |
| 491 | + | |
| 492 | + | |
| 493 | + | |
| 494 | + | |
| 495 | + | |
| 496 | + | |
| 497 | + | |
| 498 | + | |
490 | 499 | | |
491 | 500 | | |
492 | 501 | | |
| |||
0 commit comments