bug#43878: emacs fails to build on recent macOS 11.0 ARM betas

[Daniel Martín]

Itai Seggev <is@cs.hmc.edu> writes:

> In the last few betas of macOS on ARM, Apple has start enforcing a requirement
> that all code be properly signed.  The linker automatically adds an "ad-hoc"
> signature.  (At least for now, this is not required on x86_64, though I 
> imagine
> it is only a matter of time given Apple's public statements on code signing.)
>
> The emacs build fails when the temacs is called to compile the Lisp files.
> I've tracked this down to the call to make-fingerprint on temacs.tmp.  The 
> call
> modifies the Macho-O temacs.tmp after it was linked and signed, invaldinating
> the code signature.  When it is launched, it is killed with a SIGABORT by the
> OS due to the invalid signature.
>
> I've come up with a couple of workarounds in my local build.  First, if I
> modifiy make-fingerprint to not store the result in the Mach-O, then 
> everything
> seems to build fine.  It's not entirely clear to me what the purpose of this
> modification of the Macho-O is, so I don't know if such a solution is
> acceptable upstream.
>
> If it is not, then the signature _must_ be repaired after make-fingerprint is
> run.  This can be done quite simply, using 'codesign -s - -f temacs.tmp', 
> which
> creates a new "ad-hoc" signature for the executable.
>
> If necessary, I am happy to test a patch / branch on my machine.
>

The approach to resign the executable after temacs invalidates the
digital signature seems like a good approach to me. It's also
the recommended approach in Apple's release notes:
https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11-universal-apps-beta-release-notes

Note that we may want to preserve some metadata from the original
digital signature and resign the Mach-O file with something like:

codesign -s - —preserve-metadata=identifier,entitlements,flags,runtime -f 
temacs.tmp

But I'm not sure if it'd make a significant difference.