Merge pull request #7397 from mook-as/path-management/xattr-logging

Path mangement: Fix macOS signing
rancher-sandbox · Aug 31, 2024 · 3dcbeeb · 3dcbeeb
2 parents a585730 + f56d014
commit 3dcbeeb
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 19 deletions.
diff --git a/packaging/electron-builder.yml b/packaging/electron-builder.yml
@@ -4,6 +4,8 @@ productName: Rancher Desktop
 icon: ./resources/icons/logo-square-512.png
 appId: io.rancherdesktop.app
 asar: true
+asarUnpack:
+- '**/*.node'
 electronLanguages: [ en-US ]
 extraResources:
 - resources/

diff --git a/pkg/rancher-desktop/integrations/manageLinesInFile.ts b/pkg/rancher-desktop/integrations/manageLinesInFile.ts
@@ -2,6 +2,10 @@ import fs from 'fs';
 
 import isEqual from 'lodash/isEqual.js';
 
+import Logging from '@pkg/utils/logging';
+
+const console = Logging['path-management'];
+
 export const START_LINE = '### MANAGED BY RANCHER DESKTOP START (DO NOT EDIT)';
 export const END_LINE = '### MANAGED BY RANCHER DESKTOP END (DO NOT EDIT)';
 const DEFAULT_FILE_MODE = 0o644;
@@ -167,7 +171,7 @@ async function fileHasExtendedAttributes(filePath: string): Promise<boolean> {
       return false;
     }
 
-    console.error(`Failed to import fs-xattr, cannot check for extended attributes on ${ filePath }`);
+    console.error(`Failed to import fs-xattr, cannot check for extended attributes on ${ filePath }:`, cause);
 
     throw new ErrorDeterminingExtendedAttributes({ path: filePath }, { cause });
   }

diff --git a/pkg/rancher-desktop/main/diagnostics/pathManagement.ts b/pkg/rancher-desktop/main/diagnostics/pathManagement.ts
@@ -1,6 +1,6 @@
 import { DiagnosticsCategory, DiagnosticsChecker, DiagnosticsCheckerResult, DiagnosticsCheckerSingleResult } from './types';
 
-import { ErrorHasExtendedAttributes, ErrorNotRegularFile, ErrorWritingFile } from '@pkg/integrations/manageLinesInFile';
+import { ErrorDeterminingExtendedAttributes, ErrorHasExtendedAttributes, ErrorNotRegularFile, ErrorWritingFile } from '@pkg/integrations/manageLinesInFile';
 import mainEvents from '@pkg/main/mainEvents';
 
 const cachedResults: Record<string, DiagnosticsCheckerResult> = {};
@@ -53,6 +53,10 @@ mainEvents.on('diagnostics-event', (id, state) => {
         return { fixes: [{ description: `Restore \`${ fileName }\` from backup file \`${ error.backupPath }\`` }] };
       }
 
+      if (error instanceof ErrorDeterminingExtendedAttributes && error.cause) {
+        return { description: `${ error }: ${ error.cause }` };
+      }
+
       return {};
     })(),
   };

diff --git a/scripts/lib/sign-macos.ts b/scripts/lib/sign-macos.ts
@@ -213,24 +213,13 @@ async function *findFilesToSign(dir: string): AsyncIterable<string> {
       continue;
     }
 
-    // For regular files, read the first four bytes of the file and look
-    // for Mach-O headers.
+    // For regular files, call `file` and check if it thinks it's Mach-O.
+    // We previously read the file header, but that was unreliable.
     try {
-      const file = await fs.promises.open(fullPath);
-
-      try {
-        const { buffer } = await file.read({ buffer: Buffer.alloc(4), length: 4 });
-        const header = buffer.readUInt32BE();
-        const validHeaders = [
-          0xFEEDFACF, // Mach-O 64 bit, correct endian
-          0xCFFAEDFE, // Mach-O 64 bit, reversed endian
-        ];
-
-        if (!validHeaders.includes(header)) {
-          continue;
-        }
-      } finally {
-        await file.close();
+      const { stdout } = await spawnFile('/usr/bin/file', ['--brief', fullPath], { stdio: 'pipe' });
+
+      if (!stdout.startsWith('Mach-O ')) {
+        continue;
       }
     } catch {
       log.info({ fullPath }, 'Failed to read file, assuming no need to sign.');