eraserhd has quit [Quit: WeeChat 2.9]
disasm has quit [Ping timeout: 246 seconds]
ajs124 has quit [Quit: killed]
ajs124 has joined #nix-darwin
disasm has joined #nix-darwin
eraserhd has joined #nix-darwin
LnL has joined #nix-darwin
<thefloweringash> Can I trouble someone with an up to date DTK to try to reproduce a binary? https://gist.github.com/thefloweringash/9a4702575d28453d09b11850e37b29f5
<thefloweringash> Everything I read about adhoc signatures indicates they're just a form of hash of the binary, eg https://apple.stackexchange.com/a/317002. Creating the same binary on two different DTKs would be good supporting evidence that there's no auto-generated machine local key
<thefloweringash> context is trying to clear up the confusion in #95903
<{^_^}> https://github.com/NixOS/nixpkgs/issues/95903 (by arianvp, 3 days ago, open): Support for Apple Silicon (aarch64-darwin)
<LnL> I had a feeling this was getting overblown a bit
<thefloweringash> I had that feeling with the response to the Catalina changes too :-(
<LnL> actual signatures would be a major pain and not provide any value other than integrity checking for things built locally
<thefloweringash> to do it properly would probably require installing the daemon to register a local identity somewhere, and sign on adding to the store, and somehow not break hashes of store paths
<thefloweringash> if that's coming, that really won't be fun. I don't think we're there yet
<LnL> not necessarily, but nix (or any other compiler for that matter) just needs access to the identity
<LnL> with that code signing could be implemented within nix and that doesn't require the daemon
<LnL> but for arm the main question here is what thing inserts this local signature
<thefloweringash> like adding a private key within the nixpkgs stdenv?
<thefloweringash> seems like it's the linker, at least based on the docs and the flags: flags=0x20002(adhoc,linker-signed)
<LnL> no that's pointless, hence nix itself needs support for codesigning
<LnL> the build process contains logic to execute sandbox-exec instead of the build instructions directly
<LnL> similarly it can run codesign on the outputs afterwards
<LnL> that way the build itself and other things can be shielded from the signing identity
<LnL> anyway
<LnL> if it's dyld that handles the required stuff we potentially don't have to do anything, since we don't (and can't) build that ourselves
<LnL> if it's ld then it's a bit of a bigger problem since updating the cctools-port to have support for all this might be tricky
<LnL> it's one of those things that's kind of opensource but not really IIRC
<thefloweringash> I think it's ld. I haven't looked at that side yet.
<thefloweringash> and anything that uses things install_name_tool will need to create a new signature, according to the docs
<LnL> right, that makes sense
<thefloweringash> oh, and strip
<thefloweringash> if we're signing everything we strip, it might not even matter that we don't sign as part of cctools
<LnL> running codesign in the build is also an option, as long as that doesn't need an identity
<thefloweringash> you can explicitly codesign with the identity "-" to make an adhoc signature
<LnL> does mean security_systemkeychain needs to be added and integrated all the way in the bootstrap chain
<Mic92_> strip is sometimes skipped in nix
<Mic92_> for good reasons
manveru has quit [Ping timeout: 244 seconds]
manveru has joined #nix-darwin
<thefloweringash> Takes me back to #34227 :-)
<{^_^}> https://github.com/NixOS/nixpkgs/pull/34227 (by thefloweringash, 2 years ago, merged): rustc: Fix corrupted .rlib files caused by stripping on Darwin
Mic92_ has quit [Quit: WeeChat 2.9]
Mic92 has joined #nix-darwin
ehamberg has quit [Read error: Connection reset by peer]
hamishmack has quit [Ping timeout: 272 seconds]
<arianvp> thefloweringash: NixOS Foundation has a DTK you can use
<arianvp> ask robert vermaas for access
<arianvp> rob*
<thefloweringash> Great! How do I contact him?
ehamberg has joined #nix-darwin
hamishmack has joined #nix-darwin
philr_ has quit [Ping timeout: 240 seconds]
abathur has quit [Ping timeout: 240 seconds]
<Mic92> Hey macOS folk, does nix on darwin work with `--store`? https://github.com/Mic92/nix-build-uncached/pull/16/checks?check_run_id=1027662881#step:5:23
abathur has joined #nix-darwin
abathur has quit [Ping timeout: 246 seconds]
abathur has joined #nix-darwin
abathur has quit [Quit: abathur]
hamishmack has quit [Ping timeout: 272 seconds]
hamishmack has joined #nix-darwin
__Sander__ has joined #nix-darwin
eraserhd has quit [Ping timeout: 240 seconds]
__Sander__ has quit [Quit: Konversation terminated!]
stephank has quit [Quit: Ping timeout (120 seconds)]
eraserhd has joined #nix-darwin
philr_ has joined #nix-darwin
<thefloweringash> Mic92: from your log, "error: the path '/var' is a symlink; this is not allowed for the Nix store and its parent directories"
<thefloweringash> but if you fix that you run into "error: building using a diverted store is not supported on this platform", and https://github.com/NixOS/nix/commit/ba75c69e0014178cf524cc07427bb4e9eac333f7
<thefloweringash> so --store works but not for building, since it's unimplemented outside of linux