msys2-runtime: avoid stripping to allow code-signing again #260
Conversation
|
To verify that this works, I need to:
|
Sadly, this seems not to be the case, actually:
The
|
CFLAGS used for buildingAccording to the log, these
I cannot find an instance of |
A couple of those need to remain, but many of them are just oversights. Signed-off-by: Johannes Schindelin <[email protected]>
Third parties commonly code-sign the MSYS2 runtime when ingesting MinGit, as a way to attest the integrity (_not_ to testify that they have vetted all the supply chain!). This is currently broken, failing with: SignTool Error: SignedCode::Sign returned error: 0x800700C1 %1 is not a valid Win32 application. SignTool Error: An error occurred while attempting to sign: msys-2.0.dll The reason is that the MSYS toolchain's version of `strip.exe` somehow changes the structure of the output files that are incompatible with `signtool.exe`, as had been identified in ffd1140 (bash: avoid stripping after code-signing, 2022-05-02). Therefore, as of 667799c (msys2-runtime: strip it, 2022-12-19), the `msys-2.0.dll` file (and all of the Cygwin utilities like `cygwin-console-helper.exe`) can no longer be signed. So let's revert that change. However, we _must_ be _very_ careful not to regress on the cause for that commit: It was triggered by Cygwin's build process all of a sudden including all the debug information in the `msys-2.0.dll` file, which makes it roughly 10x larger (and it already weighs ~3MB to begin with). The saving grace is that we can put `-g0` into the `CFLAGS`/`CXXFLAGS` variables that are hard-coded in the `PKGBUILD` file. This prevents debug information from being generated in th first place, hence avoiding the need to strip the executables. Signed-off-by: Johannes Schindelin <[email protected]>
dscho
force-pushed
the
allow-msys2-runtime-to-be-code-signed-again
branch
from
b9b7088 to
745e6ae
Compare
|
I think I figured it out: while this line added the CXXFLAGS="$OPTIM -pipe -g0 -Wno-error=deprecated -Wno-error=stringop-truncation -Wno-error=missing-attributes -Wno-error=maybe-uninitialized" #-Wno-error=class-memaccess export CXXFLAGS="-Wno-error -Wno-narrowing"overrode that ;-) |
|
Now we're talking:
The
The difference is clearly dominated by the |
Since `strip.exe` apparently does not do what we want (namely, produce a `.dll` that can then be code-signed using `signtool.exe`), we are now left with an `msys-2.0.dll` that -- despite containing no debug symbols because we just suppressed them with the `-g0` flag -- still is larger than before. The difference is essentially explained by the new `COFF_SYMBOLS` section that had not been there before: $ 7z l new-msys-2.0.dll | grep COFF 2025-10-02 15:08:52 ..... 768106 768106 COFF_SYMBOLS Since there is already an `objcopy` invocation (that uses the short-hand `-g` for `--strip-debug`), let's just piggy-back on that invocation by extending it with the `--strip-unneeded` option. While at it, use the long-hand instead of the otherwise potentially puzzling `-g`. Note: I have tried `objcopy --remove-section COFF_SYMBOLS`, but apparently those symbols are not even a _real_ section; They live in the PE header and hence cannot be removed via `--remove-section`. Since this `objcopy` invocation might seem to do nothing else than `strip.exe` (and hence potentially breaking code-signing again), I have verified manually that the resulting `.dll` can be code-signed using both `signtool.exe` and `osslsigncode.exe`, so all is good. Signed-off-by: Johannes Schindelin <[email protected]>
|
And now we're cooking:
The
The |
mjcheetham
left a comment
mjcheetham
left a comment
There was a problem hiding this comment.
Thanks for the thorough analysis and commit messages explaining the issue here!
|
/deploy msys2-runtime The workflow run was started. |
Third parties commonly code-sign the MSYS2 runtime when ingesting MinGit, as a way to attest the integrity (not to testify that they have vetted all the supply chain!).
This is currently broken, failing with:
SignTool Error: SignedCode::Sign returned error: 0x800700C1
%1 is not a valid Win32 application.
SignTool Error: An error occurred while attempting to sign: msys-2.0.dll
The reason is that the MSYS toolchain's version of
strip.exesomehow changes the structure of the output files that are incompatible withsigntool.exe, as had been identified in ffd1140 (bash: avoid stripping after code-signing, 2022-05-02).Therefore, as of 667799c (msys2-runtime: strip it, 2022-12-19), the
msys-2.0.dllfile (and all of the Cygwin utilities likecygwin-console-helper.exe) can no longer be signed.So let's revert that change.
However, we must be very careful not to regress on the cause for that commit: It was triggered by Cygwin's build process all of a sudden including all the debug information in the
msys-2.0.dllfile, which makes it roughly 10x larger (and it already weighs ~3MB to begin with).The saving grace is the
-g0part of theCFLAGS/CXXFLAGSthat are hard-coded in thePKGBUILDfile. This prevents debug information from being generated in th first place.This fixes git-for-windows/git#5852