Skip to content

Code-signing entitlements needed for OSX #2393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
develerltd opened this issue Apr 3, 2025 · 4 comments
Open

Code-signing entitlements needed for OSX #2393

develerltd opened this issue Apr 3, 2025 · 4 comments
Labels
bug Something isn't working

Comments

@develerltd
Copy link

Describe the bug
Without the appropriate codesign entitlements, OSX will kill any go processes attempting to compile a wasm file.

To Reproduce
Download a codesigned golang app utilising wazero that attempts to compile a wasm file.
The operating system will kill the process.

Expected behavior
It compiles and continues as normal.

Environment (please complete the relevant information):

  • Go version: [e.g. 1.24.2]
  • Host architecture: OSX Arm64
  • Runtime mode: Compiler

Additional context
The solution will be to document this as a requirement when developing any wazero application on mac osx.

The entitlements appear to be as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
</dict>
</plist>
@develerltd develerltd added the bug Something isn't working label Apr 3, 2025
@develerltd develerltd mentioned this issue Apr 3, 2025
Open
@sirily11
Copy link

Definitely need to include this in the documentation. Struggle with this issue for whole day and then found this GitHub issue

@ncruces
Copy link
Contributor

ncruces commented May 13, 2025

@sirily11 does the posted solution work for you?

I can stand up a PR adding that to the README, or you can put one up yourselves.

@evacchi
Copy link
Contributor

evacchi commented May 13, 2025

hey @sirily11 are you able to share a reproducer for this? i.e. an executable that exhibits this behavior? This makes sense to me, but I just wanted to double-check.

@sirily11
Copy link

@sirily11 does the posted solution work for you?

I can stand up a PR adding that to the README, or you can put one up yourselves.

Yes, this document helped me fix my issue. I am building a simple Go application using this package for extensibility. The app crashed every time I ran it on another laptop, but it worked on mine.

Then I found this issue, attached the entitlement file, and performed the codesign on my host application:

codesign --force --options runtime --timestamp --entitlements "$(dirname "$0")/app.entitlements" --sign "${SIGNING_CERTIFICATE_NAME}" "${BINARY_PATH}"

After that, the issue was resolved. Simple and effective.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@evacchi @ncruces @develerltd @sirily11