| 12 Jul 2025 |
 emily | yes use repart whenever possible | 09:35:03 |
 K900 | OK folks this is not a good situation | 10:19:56 |
| K900 | But there was a cppnix change last night that fixed an extremely critical security issue with no due process | 10:20:16 |
| K900 | https://github.com/NixOS/nix/pull/13455 | 10:20:17 |
| K900 | Yes this means all the builds on affected Nix versions run as literal root | 10:20:28 |
| emily | is it relevant only in the sandbox | 10:20:40 |
| emily | uh | 10:20:41 |
| emily | holy fuck | 10:20:45 |
| K900 | No, it's relevant only on Darwin | 10:20:48 |
| K900 | Where there is normally no sandbox | 10:20:53 |
| emily | the PR branch said sandbox | 10:20:59 |
| emily | I'm not going to be at a computer for another few hours but can you like post an advisory to Discourse in the announcements security please | 10:21:19 |
| emily | sigh this is the second time in weeks the Nix team have followed highly questionable vulnerability disclosure practices | 10:21:55 |
 Randy Eckenrode | Is Lix affected or only Nix? | 10:22:15 |
| emily | that was my next question | 10:22:23 |
| K900 | Lix is unaffected | 10:22:30 |
| *  raitobezarius goes on vacation *now* | 10:30:12 |
| K900 | The affected Nix versions are 2.30 only, which did not make it into nixpkgs | 10:30:38 |
| K900 | So the actual scope of the damage is likely limited | 10:30:44 |
 Ihar Hrachyshka | a new podman-desktop bumped electron 36->37 and now fails on arm with
> • copying Electron source=/private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/electron-dist/Electron.app destination=/private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/dist/mac-arm64/Electron.app
> • falling back to ad-hoc signature for macOS application code signing
> • signing file=dist/mac-arm64/Podman Desktop.app platform=darwin type=distribution identityName=- identityHash=none provisioningProfile=none
> • Above command failed, retrying 3 more times
> • Above command failed, retrying 3 more times
> • Above command failed, retrying 3 more times
> • Above command failed, retrying 3 more times
> ⨯ spawn codesign ENOENT failedTask=build stackTrace=Error: spawn codesign ENOENT
> at Process.ChildProcess._handle.onexit (node:internal/child_process:285:19)
> at onErrorNT (node:internal/child_process:483:16)
> at processTicksAndRejections (node:internal/process/task_queues:90:21)
even though we set CSC_IDENTITY_AUTO_DISCOVERY = lib.optionals stdenv.hostPlatform.isDarwin "false";
and apparently there was some change in electron-builder lately that attempts to apply some "ad-hoc" signature to arm apps: https://github.com/electron-userland/electron-builder/pull/9007 because they are "damaged" otherwise.
in Console.app I see these messages around the time of signing failure:
error 12:53:11.368210-0400 syspolicyd os_unix.c:49448: (2) open(/private/var/db/DetachedSignatures) - No such file or directory
error 12:53:11.369669-0400 syspolicyd os_unix.c:49448: (2) open(/private/var/db/DetachedSignatures) - No such file or directory
...
default 12:53:12.579237-0400 launchservicesd [0x574044500] activating connection: mach=false listener=false peer=false name=com.apple.CodeSigningHelper
default 12:53:12.579324-0400 com.apple.CodeSigningHelper [0xb6a0e8000] activating connection: mach=false listener=false peer=true name=com.apple.CodeSigningHelper.peer[663].0xb6a0e8000
default 12:53:12.579683-0400 com.apple.CodeSigningHelper [0xb6a0e8000] invalidated because the client process (pid 663) either cancelled the connection or exited
default 12:53:12.631917-0400 launchservicesd [0x574045f00] activating connection: mach=false listener=false peer=false name=com.apple.CodeSigningHelper
default 12:53:12.632026-0400 com.apple.CodeSigningHelper [0xb6a0e8000] activating connection: mach=false listener=false peer=true name=com.apple.CodeSigningHelper.peer[663].0xb6a0e8000
default 12:53:12.632412-0400 com.apple.CodeSigningHelper [0xb6a0e8000] invalidated because the client process (pid 663) either cancelled the connection or exited
...
default 12:53:20.149167-0400 kernel AMFI: '/private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/node_modules/app-builder-bin/mac/app-builder_arm64': Unrecoverable CT signature issue, bailing out.
default 12:53:20.149169-0400 kernel AMFI: code signature validation failed.
oh and I see similar messages coming from other apps in the same log (like my git-sync daemons)
default 12:53:28.652167-0400 kernel AMFI: '/nix/store/4dssl7vf761w4jz4r6nyqfnsnrrajby9-git-sync-0-unstable-2025-06-26/bin/git-sync': Unrecoverable CT signature issue, bailing out.
default 12:53:28.652173-0400 kernel AMFI: code signature validation failed.
any bells ringing?
| 17:21:14 |
 Zhaofeng Li | The real problem should be codesign missing, the "code signature validation failed" is a red herring I think | 17:24:16 |
| Zhaofeng Li | IIRC the "error" always occurs for ad-hoc signed executables that the system has not seen before | 17:24:57 |
| Zhaofeng Li | whether that actually prevents its execution depends on other policies (whether the file itself is quarantined, xprotect scanning, whether we are running iOS executables, etc.) | 17:25:49 |
| Ihar Hrachyshka | ok added darwin.sigtool to native inputs but then
> ⨯ Command failed: codesign --sign - --force --timestamp --options runtime --entitlements /private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/node_modules/app-builder-lib/templates/entitlements.mac.plist /private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/dist/mac-arm64/Podman Desktop.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/af.lproj/locale.pak
> The following arguments were not expected: --options --timestamp
> Run with --help for more information.
> failedTask=build stackTrace=Error: Command failed: codesign --sign - --force --timestamp --options runtime --entitlements /private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/node_modules/app-builder-lib/templates/entitlements.mac.plist /private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/dist/mac-arm64/Podman Desktop.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/af.lproj/locale.pak
> The following arguments were not expected: --options --timestamp
| 17:33:41 |
| Ihar Hrachyshka | looks like it's not really compatible. besides, we use autoSignDarwinBinariesHook in the package so I assume the signature would be applied, just later. which is why it probably worked before the "ad-hoc" change in electron-builder. | 17:35:43 |
| emily | rcodesign supports ~everything but someone needs to write a compatible CLI for it | 17:37:43 |
| emily | (upstream is interested) | 17:37:47 |
| Zhaofeng Li | a quick dirty hack is to add a dummy codesign that does nothing I guess :P | 17:41:32 |
| Ihar Hrachyshka | added -c.mac.identity=null to electron-builder command, looks like it disabled the signing by the builder. every package will probably have to do it as we move them to electron-37+
podman-desktop> • skipped macOS code signing reason=identity explicitly is set to null
podman-desktop> • arm64 requires signing, but identity is set to null and signing is being skipped
podman-desktop> buildPhase completed in 42 seconds
| 17:49:40 |
| Randy Eckenrode | In reply to @zhaofeng:zhaofeng.li
IIRC the "error" always occurs for ad-hoc signed executables that the system has not seen before Signatures can be detached. The error occurs because the database of detached signatures does not exist. | 18:43:02 |
