Apple code signing isn't working when building with nix #42
Description
Shortly after devfiler was initially open-sourced, I was able to build and run it locally on an M1 mac using the nix commands in the README.
More recently, I wanted to re-build it to catch up with recent protocol changes in opentelemetry-ebpf-profiler, but I ran into an issue where it won't launch after building. The app icon flashes but the app never opens or displays an error.
If I try to run the executable from a shell instead, it reported:
% ./devfiler.app/Contents/MacOS/devfiler
zsh: killed ./devfiler.app/Contents/MacOS/devfiler
After some troubleshooting, I was able to use the Console app to find a "Crash Report" like the following:
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: ReportCrash [70198]
Path: /System/Library/CoreServices/ReportCrash
Identifier: ReportCrash
Version: ???
Code Type: ARM-64 (Native)
Parent Process: launchd [1]
User ID: 501
Date/Time: 2025-08-09 11:33:42.8358 -0400
OS Version: macOS 15.6 (24G84)
Report Version: 12
Anonymous UUID: 3B6A222A-F595-8AE9-0C62-BC866F9E1776
Time Awake Since Boot: 2500 seconds
System Integrity Protection: enabled
Crashed Thread: 1
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Codes: UNKNOWN_0x32 at 0x0000000802400000
Exception Codes: 0x0000000000000032, 0x000000080240000
...
which led me to believe it's probably related to code signing. When building with nix, the end of the output looks like this, which makes me think that at some point in the process, the executable is getting signed, but then modified without being re-signed:
devfiler> Running phase: installPhase
...
devfiler> stripping references done
devfiler> signing files:
devfiler> signing: /nix/store/6n1lapf1yxp0565ip9q9syszwsivvi6h-devfiler-0.14.0/bin/devfiler
devfiler> signing: /nix/store/6n1lapf1yxp0565ip9q9syszwsivvi6h-devfiler-0.14.0/share/icons/hicolor/512x512/apps/devfiler.png
devfiler> signing: /nix/store/6n1lapf1yxp0565ip9q9syszwsivvi6h-devfiler-0.14.0/share/applications/devfiler.desktop
devfiler> signing done
devfiler> Running phase: fixupPhase
...
devfiler> install_name_tool: warning: changes being made to the file will invalidate the code signature in: /nix/store/6n1lapf1yxp0565ip9q9syszwsivvi6h-devfiler-0.14.0/Applications/devfiler.app/Contents/MacOS//devfiler
devfiler-mac-app> adding: devfiler.app/ (stored 0%)
devfiler-mac-app> adding: devfiler.app/Contents/ (stored 0%)
devfiler-mac-app> adding: devfiler.app/Contents/MacOS/ (stored 0%)
devfiler-mac-app> adding: devfiler.app/Contents/MacOS/devfiler (deflated 65%)
devfiler-mac-app> adding: devfiler.app/Contents/MacOS/libc++.1.0.dylib (deflated 70%)
devfiler-mac-app> adding: devfiler.app/Contents/MacOS/libc++abi.1.dylib (deflated 74%)
devfiler-mac-app> adding: devfiler.app/Contents/Resources/ (stored 0%)
devfiler-mac-app> adding: devfiler.app/Contents/Resources/devfiler.icns (deflated 26%)
devfiler-mac-app> adding: devfiler.app/Contents/Info.plist (deflated 57%)
So I think the issue is probably that install_name_tool is modifying the executable after it's signed, but I'm not familiar enough with nix or cargo to figure out what to change to make it re-sign or reorder the steps so that it signs after the modification.