pyrox.dev / nixpkgs
lol
fork atom

nodejs: use sigtool's codesign in test-macos-app-sandbox

test-macos-app-sandbox uses the system-provided codesign binary
(/usr/bin/codesign) to apply entitlements to an app bundle. This fails
in the sandbox as /usr/bin/codesign is not accessible. Patch the test to
instead use the codesign binary from sigtool. The test was updated to
pass the executable path to codesign as sigtool can't handle the bundle
path.

Alex James 1bc6e6c0 cbb3c85f

options
unified split
Changed files
+28 -1
pkgs
development
web
nodejs
nodejs.nix
use-nix-codesign.patch
v20.nix
v22.nix
v24.nix
+7 -1
pkgs/development/web/nodejs/nodejs.nix 
···

       
28

       
28

       
 

       
  runtimeShell,


     

       
29

       
29

       
 

       
  gnupg,


     

       
30

       
30

       
 

       
  installShellFiles,


     

       

       
31

       
+

       
  darwin,


     

       
31

       
32

       
 

       
}:


     

       
32

       
33

       
 

       



     

       
33

       
34

       
 

       
{


     
···

       
298

       
299

       
 

       



     

       
299

       
300

       
 

       
      inherit patches;


     

       
300

       
301

       
 

       



     

       

       
302

       
+

       
      postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''


     

       

       
303

       
+

       
        substituteInPlace test/parallel/test-macos-app-sandbox.js \


     

       

       
304

       
+

       
          --subst-var-by codesign '${darwin.sigtool}/bin/codesign'


     

       

       
305

       
+

       
      '';


     

       

       
306

       
+

       



     

       
301

       
307

       
 

       
      __darwinAllowLocalNetworking = true; # for tests


     

       
302

       
308

       
 

       



     

       
303

       
309

       
 

       
      doCheck = canExecute;


     
···

       
391

       
397

       
 

       
            ]


     

       
392

       
398

       
 

       
            ++ lib.optionals stdenv.buildPlatform.isDarwin [


     

       
393

       
399

       
 

       
              # Disable tests that don’t work under macOS sandbox.


     

       
394

       

       
-

       
              "test-macos-app-sandbox"


     

       

       
400

       
+

       
              # uv_os_setpriority returned EPERM (operation not permitted)


     

       
395

       
401

       
 

       
              "test-os"


     

       
396

       
402

       
 

       
              "test-os-process-priority"


     

       
397

       
403
+18
pkgs/development/web/nodejs/use-nix-codesign.patch 
···

       

       
1

       
+

       
diff --git a/test/parallel/test-macos-app-sandbox.js b/test/parallel/test-macos-app-sandbox.js


     

       

       
2

       
+

       
index 60ad67b3db..b6ac0dcef4 100644


     

       

       
3

       
+

       
--- a/test/parallel/test-macos-app-sandbox.js


     

       

       
4

       
+

       
+++ b/test/parallel/test-macos-app-sandbox.js


     

       

       
5

       
+

       
@@ -45,11 +45,11 @@ fs.copyFileSync(


     

       

       
6

       
+

       
 


     

       

       
7

       
+

       
 // Sign the app bundle with sandbox entitlements:


     

       

       
8

       
+

       
 assert.strictEqual(


     

       

       
9

       
+

       
-  child_process.spawnSync('/usr/bin/codesign', [


     

       

       
10

       
+

       
+  child_process.spawnSync('@codesign@', [


     

       

       
11

       
+

       
     '--entitlements', fixtures.path(


     

       

       
12

       
+

       
       'macos-app-sandbox', 'node_sandboxed.entitlements'),


     

       

       
13

       
+

       
     '--force', '-s', '-',


     

       

       
14

       
+

       
-    appBundlePath,


     

       

       
15

       
+

       
+    appExecutablePath,


     

       

       
16

       
+

       
   ]).status,


     

       

       
17

       
+

       
   0);


     

       

       
18

       
+
+1
pkgs/development/web/nodejs/v20.nix 
···

       
42

       
42

       
 

       
    ./configure-armv6-vfpv2.patch


     

       
43

       
43

       
 

       
    ./node-npm-build-npm-package-logic.patch


     

       
44

       
44

       
 

       
    ./use-correct-env-in-tests.patch


     

       

       
45

       
+

       
    ./use-nix-codesign.patch


     

       
45

       
46

       
 

       



     

       
46

       
47

       
 

       
    # TODO: remove when included in a release


     

       
47

       
48

       
 

       
    (fetchpatch2 {
+1
pkgs/development/web/nodejs/v22.nix 
···

       
59

       
59

       
 

       
      ./node-npm-build-npm-package-logic.patch


     

       
60

       
60

       
 

       
      ./use-correct-env-in-tests.patch


     

       
61

       
61

       
 

       
      ./bin-sh-node-run-v22.patch


     

       

       
62

       
+

       
      ./use-nix-codesign.patch


     

       
62

       
63

       
 

       



     

       
63

       
64

       
 

       
      # TODO: remove when included in a release


     

       
64

       
65

       
 

       
      (fetchpatch2 {
+1
pkgs/development/web/nodejs/v24.nix 
···

       
58

       
58

       
 

       
      ./node-npm-build-npm-package-logic.patch


     

       
59

       
59

       
 

       
      ./use-correct-env-in-tests.patch


     

       
60

       
60

       
 

       
      ./bin-sh-node-run-v22.patch


     

       

       
61

       
+

       
      ./use-nix-codesign.patch


     

       
61

       
62

       
 

       
    ]


     

       
62

       
63

       
 

       
    ++ gypPatches


     

       
63

       
64

       
 

       
    ++ lib.optionals (!stdenv.buildPlatform.isDarwin) [