From 3b81dc2c2cb7322a5d609c6587a7a00b4e6b649c Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 00:14:40 +0000 Subject: [PATCH 1/9] ascertain signing status on macos --- .github/workflows/push.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 75920fd9..70988bac 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -93,7 +93,10 @@ jobs: - name: (macOS) Setup test dependencies if: matrix.os == 'macos-latest' || matrix.os == 'apple-silicon-m1' - run: brew install ant + run: | + brew install ant + codesign -dvvvv --xml --entitlements - $(which python) + codesign -dvvvv --xml --entitlements - $(which java) - name: Build test classes via ant run: ant all From b2c07e92e3421d77e1994a9e9a0466e96a52ffe0 Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 00:30:34 +0000 Subject: [PATCH 2/9] dont let codesign failure cause problem, for now... --- .github/workflows/push.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 70988bac..e3ed2a33 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -95,8 +95,8 @@ jobs: if: matrix.os == 'macos-latest' || matrix.os == 'apple-silicon-m1' run: | brew install ant - codesign -dvvvv --xml --entitlements - $(which python) - codesign -dvvvv --xml --entitlements - $(which java) + codesign -dvvvv --xml --entitlements - $(which python) || true + codesign -dvvvv --xml --entitlements - $(which java) || true - name: Build test classes via ant run: ant all From 080e81edeb24200a5d81d79acc0a750b697fcfe6 Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 01:04:10 +0000 Subject: [PATCH 3/9] validate signing of Python in setup.py --- setup.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/setup.py b/setup.py index 3cca8c1a..4bcb61c1 100644 --- a/setup.py +++ b/setup.py @@ -84,6 +84,27 @@ def compile_native_invocation_handler(java): compile_native_invocation_handler(JAVA) +def check_python_signing(): + import platform + # check for mac + if sys.platform != 'darwin': + return + # check for arm + if platform.processor() != 'arm': + return + try: + codesign = subprocess.check_output( + ['/usr/bin/codesign', '--display', '--verbose=4', '--xml', '--entitlements', '-', + sys.executable] + ) + assert "com.apple.security.cs.disable-executable-page-protection" not in codesign, ( + ("Python (%s) was not signed with com.apple.security.cs.disable-executable-page-protection entitlement. " % sys.executable) + + "You should installed a version of Python that has been codesigned with this entitlement.") + except: + assert False, (("Could not apply codesign to %s. Codesign is required for Apple Silicon. You should installed a version of " + + "Python installed that has been codesigned") % sys.executable) + +check_python_signing() # generate the config.pxi with open(join(dirname(__file__), 'jnius', 'config.pxi'), 'w') as fd: From 33069b4c4b2898bb24a78bda750ab3de93787600 Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 09:20:12 +0000 Subject: [PATCH 4/9] change condition --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 4bcb61c1..fa02dd8e 100644 --- a/setup.py +++ b/setup.py @@ -97,7 +97,7 @@ def check_python_signing(): ['/usr/bin/codesign', '--display', '--verbose=4', '--xml', '--entitlements', '-', sys.executable] ) - assert "com.apple.security.cs.disable-executable-page-protection" not in codesign, ( + assert "com.apple.security.cs.disable-executable-page-protection" in codesign, ( ("Python (%s) was not signed with com.apple.security.cs.disable-executable-page-protection entitlement. " % sys.executable) + "You should installed a version of Python that has been codesigned with this entitlement.") except: From ddc03e3690767fe87ede912710dc8da05ebf6da0 Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 09:57:26 +0000 Subject: [PATCH 5/9] decode the bytes --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index fa02dd8e..7dec86e7 100644 --- a/setup.py +++ b/setup.py @@ -96,7 +96,7 @@ def check_python_signing(): codesign = subprocess.check_output( ['/usr/bin/codesign', '--display', '--verbose=4', '--xml', '--entitlements', '-', sys.executable] - ) + ).decode("utf-8") assert "com.apple.security.cs.disable-executable-page-protection" in codesign, ( ("Python (%s) was not signed with com.apple.security.cs.disable-executable-page-protection entitlement. " % sys.executable) + "You should installed a version of Python that has been codesigned with this entitlement.") From a1f47aecb6d503f7a383163d9bd6205e50d5f0bc Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 10:26:34 +0000 Subject: [PATCH 6/9] debugging signing --- setup.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup.py b/setup.py index 7dec86e7..1e43f540 100644 --- a/setup.py +++ b/setup.py @@ -86,6 +86,7 @@ def compile_native_invocation_handler(java): def check_python_signing(): import platform + print("****", sys.platform, platform.processor()) # check for mac if sys.platform != 'darwin': return @@ -97,6 +98,7 @@ def check_python_signing(): ['/usr/bin/codesign', '--display', '--verbose=4', '--xml', '--entitlements', '-', sys.executable] ).decode("utf-8") + print("****", codesign) assert "com.apple.security.cs.disable-executable-page-protection" in codesign, ( ("Python (%s) was not signed with com.apple.security.cs.disable-executable-page-protection entitlement. " % sys.executable) + "You should installed a version of Python that has been codesigned with this entitlement.") From cd3bec032458af720bbb1e53dd0110eb78c2cae2 Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 10:42:36 +0000 Subject: [PATCH 7/9] be verbose so we see setup.py output --- .github/workflows/push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index e3ed2a33..dcd28994 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -113,7 +113,7 @@ jobs: - name: Install pyjnius with [dev, ci] extras run: | - pip install --timeout=120 .[dev,ci] + pip install -v --timeout=120 .[dev,ci] - name: (Windows) Test pyjnius via pytest if: matrix.os == 'windows-latest' From 41c50c5e6d3ebdb30eb6205e7edd5f371bf6d573 Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 13:22:59 +0000 Subject: [PATCH 8/9] Revert "be verbose so we see setup.py output" This reverts commit cd3bec032458af720bbb1e53dd0110eb78c2cae2. --- .github/workflows/push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index dcd28994..e3ed2a33 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -113,7 +113,7 @@ jobs: - name: Install pyjnius with [dev, ci] extras run: | - pip install -v --timeout=120 .[dev,ci] + pip install --timeout=120 .[dev,ci] - name: (Windows) Test pyjnius via pytest if: matrix.os == 'windows-latest' From 685cb574fe4aa0ef19d44645e622a2312b2a9d1a Mon Sep 17 00:00:00 2001 From: Craig Macdonald Date: Thu, 16 Nov 2023 13:23:36 +0000 Subject: [PATCH 9/9] remove debug prints --- setup.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/setup.py b/setup.py index 1e43f540..7dec86e7 100644 --- a/setup.py +++ b/setup.py @@ -86,7 +86,6 @@ def compile_native_invocation_handler(java): def check_python_signing(): import platform - print("****", sys.platform, platform.processor()) # check for mac if sys.platform != 'darwin': return @@ -98,7 +97,6 @@ def check_python_signing(): ['/usr/bin/codesign', '--display', '--verbose=4', '--xml', '--entitlements', '-', sys.executable] ).decode("utf-8") - print("****", codesign) assert "com.apple.security.cs.disable-executable-page-protection" in codesign, ( ("Python (%s) was not signed with com.apple.security.cs.disable-executable-page-protection entitlement. " % sys.executable) + "You should installed a version of Python that has been codesigned with this entitlement.")