kind-france-89777
05/04/2023, 8:26 PM$ codesign --verify -vv $(which garden)
/opt/homebrew/bin/garden: valid on disk
/opt/homebrew/bin/garden: satisfies its Designated Requirement
$ garden --version
0.12.53
> after upgrading to 0.12.55:
$ codesign --verify -vv $(which garden)
/opt/homebrew/bin/garden: invalid signature (code or signature have been modified)
In architecture: x86_64
swift-garage-61180
05/04/2023, 8:49 PMkind-france-89777
05/04/2023, 9:49 PMancient-diamond-80011
05/05/2023, 7:08 AMkind-france-89777
05/09/2023, 4:29 PMancient-diamond-80011
05/10/2023, 6:46 AMastonishing-tomato-18259
05/12/2023, 1:13 PM0.12.53
binary was also not code signed.
It appears that the user had done ad-hoc code signing (https://developer.apple.com/documentation/security/seccodesignatureflags/1397793-adhoc) of garden binary on its own. Ad-hoc code signing basically means that you can code sign a binary using codesign
utility without any signing identity or apple developer certificate. On verifying, it results in similar response:
➜ $ codesign --verify -vv garden
garden: valid on disk
garden: satisfies its Designated Requirement
And once the user updated the version from 0.12.53 to 0.12.55, the ad-hoc signature became invalid and results in invalid signature
error as the content of garden binary updated and resulted in SHA-1 signature mismatch.
The codesigning of binaries is mandatory for any executables macOS 11 onwards however it doesn't apply to translated binaries that running under Rosetta2 which is currently the case for Garden binary. There's plan to publish native Apple silicon binary and then code signing will be mandatory.
I created an issue to track code signing of our binaries: https://github.com/garden-io/garden/issues/4250kind-france-89777
05/12/2023, 2:23 PM