Home /
Input Output /
iohk-nix
Apr 11, 12-1 PM (0)
Apr 11, 1-2 PM (0)
Apr 11, 2-3 PM (0)
Apr 11, 3-4 PM (0)
Apr 11, 4-5 PM (0)
Apr 11, 5-6 PM (0)
Apr 11, 6-7 PM (0)
Apr 11, 7-8 PM (0)
Apr 11, 8-9 PM (0)
Apr 11, 9-10 PM (0)
Apr 11, 10-11 PM (0)
Apr 11, 11-12 AM (0)
Apr 12, 12-1 AM (0)
Apr 12, 1-2 AM (0)
Apr 12, 2-3 AM (0)
Apr 12, 3-4 AM (0)
Apr 12, 4-5 AM (0)
Apr 12, 5-6 AM (0)
Apr 12, 6-7 AM (0)
Apr 12, 7-8 AM (0)
Apr 12, 8-9 AM (0)
Apr 12, 9-10 AM (0)
Apr 12, 10-11 AM (0)
Apr 12, 11-12 PM (0)
Apr 12, 12-1 PM (0)
Apr 12, 1-2 PM (0)
Apr 12, 2-3 PM (0)
Apr 12, 3-4 PM (0)
Apr 12, 4-5 PM (0)
Apr 12, 5-6 PM (0)
Apr 12, 6-7 PM (0)
Apr 12, 7-8 PM (0)
Apr 12, 8-9 PM (0)
Apr 12, 9-10 PM (0)
Apr 12, 10-11 PM (0)
Apr 12, 11-12 AM (0)
Apr 13, 12-1 AM (0)
Apr 13, 1-2 AM (0)
Apr 13, 2-3 AM (0)
Apr 13, 3-4 AM (0)
Apr 13, 4-5 AM (0)
Apr 13, 5-6 AM (0)
Apr 13, 6-7 AM (0)
Apr 13, 7-8 AM (0)
Apr 13, 8-9 AM (0)
Apr 13, 9-10 AM (0)
Apr 13, 10-11 AM (0)
Apr 13, 11-12 PM (0)
Apr 13, 12-1 PM (0)
Apr 13, 1-2 PM (0)
Apr 13, 2-3 PM (0)
Apr 13, 3-4 PM (0)
Apr 13, 4-5 PM (0)
Apr 13, 5-6 PM (0)
Apr 13, 6-7 PM (0)
Apr 13, 7-8 PM (0)
Apr 13, 8-9 PM (0)
Apr 13, 9-10 PM (0)
Apr 13, 10-11 PM (0)
Apr 13, 11-12 AM (0)
Apr 14, 12-1 AM (0)
Apr 14, 1-2 AM (0)
Apr 14, 2-3 AM (0)
Apr 14, 3-4 AM (0)
Apr 14, 4-5 AM (0)
Apr 14, 5-6 AM (0)
Apr 14, 6-7 AM (0)
Apr 14, 7-8 AM (0)
Apr 14, 8-9 AM (0)
Apr 14, 9-10 AM (0)
Apr 14, 10-11 AM (0)
Apr 14, 11-12 PM (0)
Apr 14, 12-1 PM (0)
Apr 14, 1-2 PM (0)
Apr 14, 2-3 PM (0)
Apr 14, 3-4 PM (0)
Apr 14, 4-5 PM (0)
Apr 14, 5-6 PM (0)
Apr 14, 6-7 PM (0)
Apr 14, 7-8 PM (0)
Apr 14, 8-9 PM (0)
Apr 14, 9-10 PM (0)
Apr 14, 10-11 PM (0)
Apr 14, 11-12 AM (0)
Apr 15, 12-1 AM (0)
Apr 15, 1-2 AM (0)
Apr 15, 2-3 AM (0)
Apr 15, 3-4 AM (0)
Apr 15, 4-5 AM (0)
Apr 15, 5-6 AM (0)
Apr 15, 6-7 AM (0)
Apr 15, 7-8 AM (0)
Apr 15, 8-9 AM (0)
Apr 15, 9-10 AM (0)
Apr 15, 10-11 AM (0)
Apr 15, 11-12 PM (0)
Apr 15, 12-1 PM (0)
Apr 15, 1-2 PM (0)
Apr 15, 2-3 PM (0)
Apr 15, 3-4 PM (0)
Apr 15, 4-5 PM (0)
Apr 15, 5-6 PM (0)
Apr 15, 6-7 PM (0)
Apr 15, 7-8 PM (0)
Apr 15, 8-9 PM (0)
Apr 15, 9-10 PM (0)
Apr 15, 10-11 PM (0)
Apr 15, 11-12 AM (0)
Apr 16, 12-1 AM (0)
Apr 16, 1-2 AM (0)
Apr 16, 2-3 AM (0)
Apr 16, 3-4 AM (0)
Apr 16, 4-5 AM (0)
Apr 16, 5-6 AM (0)
Apr 16, 6-7 AM (0)
Apr 16, 7-8 AM (0)
Apr 16, 8-9 AM (1)
Apr 16, 9-10 AM (0)
Apr 16, 10-11 AM (0)
Apr 16, 11-12 PM (0)
Apr 16, 12-1 PM (0)
Apr 16, 1-2 PM (1)
Apr 16, 2-3 PM (0)
Apr 16, 3-4 PM (0)
Apr 16, 4-5 PM (0)
Apr 16, 5-6 PM (0)
Apr 16, 6-7 PM (0)
Apr 16, 7-8 PM (0)
Apr 16, 8-9 PM (0)
Apr 16, 9-10 PM (0)
Apr 16, 10-11 PM (0)
Apr 16, 11-12 AM (0)
Apr 17, 12-1 AM (0)
Apr 17, 1-2 AM (0)
Apr 17, 2-3 AM (0)
Apr 17, 3-4 AM (0)
Apr 17, 4-5 AM (0)
Apr 17, 5-6 AM (1)
Apr 17, 6-7 AM (0)
Apr 17, 7-8 AM (0)
Apr 17, 8-9 AM (0)
Apr 17, 9-10 AM (0)
Apr 17, 10-11 AM (2)
Apr 17, 11-12 PM (0)
Apr 17, 12-1 PM (0)
Apr 17, 1-2 PM (0)
Apr 17, 2-3 PM (0)
Apr 17, 3-4 PM (0)
Apr 17, 4-5 PM (0)
Apr 17, 5-6 PM (0)
Apr 17, 6-7 PM (0)
Apr 17, 7-8 PM (0)
Apr 17, 8-9 PM (0)
Apr 17, 9-10 PM (0)
Apr 17, 10-11 PM (0)
Apr 17, 11-12 AM (0)
Apr 18, 12-1 AM (0)
Apr 18, 1-2 AM (0)
Apr 18, 2-3 AM (0)
Apr 18, 3-4 AM (0)
Apr 18, 4-5 AM (0)
Apr 18, 5-6 AM (0)
Apr 18, 6-7 AM (0)
Apr 18, 7-8 AM (0)
Apr 18, 8-9 AM (0)
Apr 18, 9-10 AM (0)
Apr 18, 10-11 AM (0)
Apr 18, 11-12 PM (0)
Apr 18, 12-1 PM (0)
5 commits this week
Apr 11, 2026
-
Apr 18, 2026
Fix darwin code signatures in setGitRev using darwin.signingUtils (#611)
## Summary - The `setGitRev` function uses `set-git-rev` to patch binary content in Haskell executables, embedding git revision hashes. - On aarch64-darwin (Apple Silicon), this binary patching invalidates the ad-hoc code signature that the linker originally created. Apple Silicon requires all executables to have valid code signatures -- without re-signing, the patched binary is killed on launch. - This PR uses `darwin.signingUtils` and its `signIfRequired` wrapper (matching the pattern from cardano-node's `nix/set-git-rev.nix`) to properly re-sign executables after patching on darwin platforms. ## Changes In `overlays/haskell-nix-extra/default.nix`: 1. Added `nativeBuildInputs = optionals stdenv.hostPlatform.isDarwin [ buildPackages.darwin.signingUtils ];` to bring `signIfRequired` into scope (sourced from `buildPackages` to match the `buildPackages.runCommand` context and support cross-compilation). 2. Added a post-patching loop that calls `signIfRequired` on each executable to re-sign after `set-git-rev` invalidates the original code signature. This is preferable to a raw `/usr/bin/codesign` call because `darwin.signingUtils` handles signing correctly within the Nix sandbox and supports both ad-hoc and identity-based signing as needed by the nixpkgs infrastructure. ## Test plan - [ ] Build a Haskell package that uses `setGitRev` on aarch64-darwin and verify the resulting executable runs without code signature errors - [ ] Verify the fix is a no-op on linux (no codesign invocation, no `darwin.signingUtils` in `nativeBuildInputs`)
Use buildPackages.darwin.signingUtils for cross-compilation correctness
Since newdrv is built with buildPackages.runCommand, nativeBuildInputs should also come from buildPackages to avoid pulling host-platform signingUtils into a build-time context during cross-compilation.
Fix darwin code signatures in setGitRev using darwin.signingUtils
On aarch64-darwin (Apple Silicon), all executables must have valid code signatures. The set-git-rev tool binary-patches executables to embed the git revision, invalidating the linker's ad-hoc code signature. Add darwin.signingUtils to nativeBuildInputs and call signIfRequired on each executable after patching, matching cardano-node's nix/set-git-rev.nix pattern.
Fix invalid code signatures on aarch64-darwin after set-git-rev
The `set-git-rev` tool uses `Data.FileEmbed.injectWith` to patch binary content in Haskell executables, embedding the git revision hash. On aarch64-darwin (Apple Silicon), this binary patching invalidates the ad-hoc code signature that the linker originally created. Apple Silicon requires all executables to have valid code signatures. Without re-signing, the patched binary will be killed immediately on launch with a code signature validation error. The fix re-signs the patched executables with an ad-hoc signature using `/usr/bin/codesign -f -s -` after `set-git-rev` has finished patching. This is a no-op on non-darwin platforms via `lib.optionalString`. Copyright: Moritz Angermann <[email protected]>, Input Output Group.