fix(fix-machos): force adhoc signing for virtualization/hypervisor entitlements#353
Merged
jhheider merged 1 commit intoJun 6, 2026
Conversation
…titlements When pantry CI has imported a Developer ID via apple-actions/import-codesign-certs, brewkit re-signs every Mach-O with that Developer ID. Some entitlements -- notably com.apple.security.virtualization and com.apple.security.hypervisor -- require either adhoc signing or a Developer ID with a matching provisioning profile. A generic Developer ID without that provisioning is rejected by macOS Virtualization.framework / hypervisor.framework at runtime (the binary launches but vz / hv calls fail). This is what caused lima's limactl to break on pkgx bottles while the Homebrew bottle worked: Homebrew adhoc-signs these binaries, brewkit was re-signing them with the Tea Inc. Developer ID, losing the entitlement. Fix: when these entitlements are present, force adhoc signing instead of using the Developer ID. Mirrors Homebrew's behavior for the same class of binaries. Continues the codesign work from pkgxdev#349 (which only covered the adhoc->adhoc path -- the Developer-ID->adhoc path needed this complementary guard). Refs: pkgxdev/pantry#7853 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When pantry CI imports a Developer ID via
apple-actions/import-codesign-certs, brewkit re-signs every Mach-O with that Developer ID. Some entitlements — notablycom.apple.security.virtualizationandcom.apple.security.hypervisor— require either adhoc signing or a Developer ID with a matching provisioning profile. A generic Developer ID without that provisioning is rejected by macOS Virtualization.framework / hypervisor.framework at runtime: the binary launches, butvz/hvcalls fail.This is the root cause of lima's
limactlbreaking on pkgx bottles while the Homebrew bottle works: Homebrew adhoc-signs these binaries, brewkit was re-signing them with the Tea Inc. Developer ID and losing the entitlement.Fix
When these entitlements are present, force adhoc signing rather than using the Developer ID. Mirrors Homebrew's behavior for the same class of binaries.
The check runs before the existing #349 fix, so it catches both signing paths (the
signing_id == \"-\"path is unchanged for non-privileged adhoc work).Why a complementary fix to #349
#349 covered the
adhoc -> adhoccase: whensigning_id == \"-\",--preserve-metadata=flagswas silently dropping the adhoc flag, leavingflags=0x0. The fix was to take the remove+re-sign path with--entitlements.But pantry CI uses
signing_id == \"<Developer ID>\", so theif signing_id == \"-\"guard never fired. The binary went through the standard--preserve-metadata=...,flags,...codesign call and ended up signed with the Developer ID (no adhoc flag, no matching provisioning). Verified on the rebuiltlima-vm.io@2.1.2bottle:flags=0x0(none),Authority=Developer ID Application: Tea Inc. (7WV56FL599), vz nested virt still failing.This PR adds a complementary check (privileged-entitlements present → force adhoc) before the signing-id-based branch.
Verification approach
After this lands, rebuilding
lima-vm.ioshould produce a bottle with:flags=0x2(adhoc)Signature=adhocTeamIdentifier=not set…matching the working Homebrew bottle exactly. Will confirm on M3+/M4 hardware against the
nested.yamltemplate from pkgxdev/pantry#7853.Test plan
codesign -dvvv <new bottle>showsflags=0x2(adhoc)and no TeamIdentifierlimactl start nestedwithvmType: vz+nestedVirtualization: trueon M3+/M4 — should boot the VM without thevz error: nested virtualization is not supportedfatalRefs: pkgxdev/pantry#7853
🤖 Generated with Claude Code