CMake's RPATH adjustment upon install invalidates code signing (Xcode/macOS)
I've set up my project to code signing libs/executables by setting the target properties XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY
and XCODE_ATTRIBUTE_DEVELOPMENT_TEAM
.
The binaries in the build directory seem to be correctly signed since codesign --verify --deep --strict --verbose=2 build-dir/Release/my_exe
prints both valid on disk
and satisfies its Designated Requirement
However, when installing the results, the binaries get changed (a diff verifies this). Inspecting their RPATHs, shows, that they got altered:
otool -l build-dir/Release/my_exe | grep LC_RPATH -A2
is different to
otool -l install_dir/bin/my_exe | grep LC_RPATH -A2
To resolve this problem, I enabled the target property BUILD_WITH_INSTALL_RPATH
. Now the binaries are not touched when installing and the code signing is valid.
But now executables from the build-dir won't run, because the install-RPATH doesn't work with build directory structure. Again I had to find a workaround by changing the RUNTIME_OUTPUT_DIRECTORY
.
All of this was a massive pain to figure out, so my wishes are:
- If I did something completely wrong/in an odd way, teach me the right/proper way and show me where in the docs it is noted.
- Ideally CMake re-codesigns binaries post-install, if it altered the RPATH and code-signing was set up.
- Or give an proper warning (or error) that code signing was invalidated.
- Some hint/warning in the documentation would have saved me a lot of time.
Thanks for considering!