Template:macOS codesigning x86 64 on aarch64

From Free Pascal wiki
Jump to navigationJump to search

macOS’s code signing architecture supports two different hash formats:

  • sha1, the original hash format, which is now deprecated
  • sha256, the new format, support for which was added in macOS 10.11

codesign should choose the signing format based on the deployment target:

  • If your deployment target is 10.11 or later, you get sha256.
  • If your deployment target is earlier, you get both sha1 and sha256.

A problem crops up because, when building for both Intel and Apple Silicon, your deployment targets are different. You might set the deployment target to 10.9 but, on Apple Silicon, that’s raised to the minimum Apple Silicon system, 11.0. So, which deployment target does it choose?

Well, the full answer to that is complex but the executive summary is that it chooses the deployment target of the current architecture, that is, Intel if you’re building on Intel and Apple Silicon if you’re building on Apple Silicon.

The upshot is that you have problems if your deployment target is less than 10.11 and you sign on Apple Silicon. When you run on, say, macOS 10.10, the system looks for a sha1 hash, doesn’t find it, and complains.

The workaround is to supply the --digest-algorithm=sha1,sha256 argument to codesign which overrides the hash choice logic in codesign and causes it to include both hashes.

Retrieved from "http://wiki.freepascal.org/index.php?title=Template:macOS_codesigning_x86_64_on_aarch64&oldid=149670"