Wednesday, October 6, 2021

Reproducible Code Signing on Apple Silicon

Keith Smiley:

For people who expect reproducible builds, Apple Silicon machines provide an interesting challenge.


The gist of this logic is to fetch the UUID embedded in every binary and use that to derive the identifier. The reason this isn’t reproducible across architectures is because the UUID is based on the content of each binary, which differs across architectures.


While this was a very informative deep dive into this logic, if you rely on reproducible binaries and want to support Apple Silicon machines, you need to do 2 things for binaries without Info.plist files:

  1. Don’t allow the linker to automatically sign your binaries by passing -no_adhoc_codesign
  2. Pass an explicit identifier when linking binaries with --identifier to the codesign invocation


Comments RSS · Twitter

Leave a Comment