On macOS, when a PR build is installed, Juliaup should print instructions for doing the ad-hoc codesigning

[MilesCranmer]

The PR builds seem to have an invalid code signature on macOS:

> codesign -vv ~/.julia/juliaup/julia-pr56801/lib/libjulia.1.12.0.dylib
/Users/mcranmer/.julia/juliaup/julia-pr56801/lib/libjulia.1.12.0.dylib: invalid signature (code or signature have been modified)
In architecture: arm64

> codesign -vv ~/.julia/juliaup/julia-1.11.2+0.aarch64.apple.darwin14/lib/libjulia.1.11.dylib
/Users/mcranmer/.julia/juliaup/julia-1.11.2+0.aarch64.apple.darwin14/lib/libjulia.1.11.dylib: valid on disk
/Users/mcranmer/.julia/juliaup/julia-1.11.2+0.aarch64.apple.darwin14/lib/libjulia.1.11.dylib: satisfies its Designated Requirement

which leads to the PR channel builds crashing without any error messages: #1126.

[DilumAluthge]

Yeah, you'll need to ad-hoc codesign the PR builds yourself. PR builds can contain code written by anyone (since anyone can make a PR to JuliaLang/julia), so we don't codesign the PR builds, because we don't want to end up unintentionally codesigning malware.

You should be able to use the utilities/macos/codesign.sh file (from the https://github.com/JuliaCI/julia-buildkite repo); here's the link: https://github.com/JuliaCI/julia-buildkite/blob/main/utilities/macos/codesign.sh

[DilumAluthge]

What we should do is to:

1. Ship a variant of the utilities/macos/codesign.sh script with Juliaup (just Juliaup for macOS).
2. When a user uses Juliaup to install a PR build, there should be an interactive prompt asking if they want to automatically codesign the PR build. If the user selects Yes, then Juliaup can run the utilities/macos/codesign.sh script to ad-hoc codesign the PR build. The default value (if e.g. the user presses Enter without selecting Yes or No) should probably default to No. The idea here is that the user should be prompted so that they know about the risk of running untrusted (and potentially malicious) code.

[MilesCranmer]

Thanks. Yes that all makes sense.

Just in case others google this, my workaround is

codesign --force --sign - ~/.julia/juliaup/julia-pr56801/bin/julia
codesign --force --sign - ~/.julia/juliaup/julia-pr56801/lib/libjulia.1.12.0.dylib

which worked.

---

However, before this, there is no error message at all. The julia binary just crashes. So I think we definitely need some sort of message advising how to do the manual code signature.

[DilumAluthge]

The easiest first step is probably to print an informational message any time that Juliaup is used to install a PR build. Is there an easy way to detect that codepath in Juliaup, and print the informational message?

[DilumAluthge]

Maybe here, or somewhere nearby?

[MilesCranmer]

I was doing a bit of a yak shave for something else, but am out of dev bandwidth other than to report the issue – sorry. I'm happy with the manual codesign for now.