Should zig ld embed code signatures for platforms other than macOS? #9567
Description
For the purposes of running and debugging programs on the latest ARM64-based architectures such as the M1 SoC, zig ld embeds an adhoc code signature within each produced binary. I initially assumed that the same adhoc code signature will suffice for targeting other Apple platforms which require it such as iPhoneOS, etc. This however turns out not to be the case as reported in #9565. In order not to stifle progress, zig ld will currently not embed a code signature (even adhoc one) when targeting platforms other than macOS so that Apple's codesign utility can be used to manually sign those: #9568. (Without this precaution, codesign will outright reject a binary code signed by Zig which is not what we want here.)
The question here however is relevant for the future of those targets in Zig: should Zig toolchain, and in particular, the linker zig ld automatically embed adhoc code signatures for those platforms too? My gut feeling is no since generating a valid adhoc code signatures for iPhoneOS for instance needs to take into account that the binary itself is part of a bundle and this bundle includes a valid plist. To my surprise, this is actually reflected and included inside the embedded code signature as evidenced below:
❯ codesign -dv MadeWithZig.app/app
Executable=/Users/jakubkonka/dev/examples/zig-ios-example/MadeWithZig.app/app
Identifier=madewithzig-55554944c1bd60909a78bc0d4f49b4236ccb0fcc
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=3693 flags=0x2(adhoc) hashes=108+3 location=embedded
Signature=adhoc
Info.plist entries=12 <--- note the info about the Info.plist which is a standalone file not currently created by Zig
TeamIdentifier=not set
Sealed Resources version=2 rules=10 files=0
Internal requirements count=0 size=12
For comparison, here's the output for a valid adhoc code signed binary targeting M1 macOS code signed by Zig:
❯ codesign -dv zig-out/bin/app
Executable=/Users/jakubkonka/dev/examples/zig-ios-example/zig-out/bin/app
Identifier=app
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=956 flags=0x2(adhoc) hashes=27+0 location=embedded
Signature=adhoc
Info.plist=not bound <--- for comparison, nothing when targeting macOS
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none
I believe instead of adding this functionality into Zig proper, we should have it as part of a standalone third-party utility which mimicks codesign. Now, I do not really know much about provisioning and signing and distributing apps in Apple ecosystem, therefore, I'd welcome input from any interested and knowledgable party here.