codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

Encountering a code signing issue while building the .app

Open valeriiatym opened this issue 10 months ago • 11 comments

Hi,

We're still experiencing an issue with code signing when building the .app with the initialized CodeQL setup:

** ARCHIVE FAILED **

The following build commands failed:
	CodeSign /Users/test/Library/Developer/Xcode/DerivedData/test-bjpcnarfduumrnaetkciiatxsspz/Build/Intermediates.noindex/ArchiveIntermediates/Test/IntermediateBuildFilesPath/UninstalledProducts/macosx/TestApplication.app (in target 'TestApplication' from project 'Products')
	Archiving workspace Test with scheme Test

We've decided to run the CodeQL analysis on targets that do not require code signing. However, it would be ideal if you could address this issue so that we can run the analysis directly on the .app build.

Please refer to the attached log file for more details.

Thanks!

build-tracer.log

valeriiatym avatar Feb 25 '25 09:02 valeriiatym

Could you attach the other log files as well? There do not appear to be any relevant error messages in the build-tracer.log .

aibaars avatar Feb 25 '25 11:02 aibaars

@aibaars Do you need logs from git hub actions?

valeriiatym avatar Feb 25 '25 11:02 valeriiatym

@aibaars Do you need logs from git hub actions?

Yes, and the ones from the debug artifact as well.

aibaars avatar Feb 25 '25 11:02 aibaars

@aibaars Hi, I created support ticket #3258270 and attached logs to it.

valeriiatym avatar Feb 27 '25 14:02 valeriiatym

@aibaars Hi, I created support ticket #3258270 and attached logs to it.

@valeriiatym Thanks! I found the support ticket, but noticed you only uploaded two log files. I also didn't see the original error message you reported (ARCHIVE FAILED) in any of the log files. I think there should be more log files in the debug artifact, in a (sub)folder named log. If you find more files, please attach them to support ticket #3258270.

I did see quite a lot of error like posix_spawn error: Bad executable (or shared library) (85), ["/usr/bin/sandbox-exec". I assume these messages do not occur when running a normal build without CodeQL. I suspect that CodeQL's "process tracer" is interacting badly with the sandbox-exec binary for some reason.

aibaars avatar Feb 27 '25 15:02 aibaars

@aibaars

I assume these messages do not occur when running a normal build without CodeQL.

yes, you are right.

Updated ticket with logs.

valeriiatym avatar Feb 27 '25 15:02 valeriiatym

@valeriiatym The timestamps in the latest log does not match the ones from the previously uploaded files. This makes me think they are from different runs. It would be great to have a set of log files (actions logs, build-tracer.log, and any other log files in the debug artefact) of the same workflow run. Having a clear picture of what happens at which time hopefully give us enough information to diagnose what is going wrong.

aibaars avatar Feb 28 '25 11:02 aibaars

@aibaars yes, logs from gha workflow can be from different run. I re-run it several times with the same logic. And I can make you sure that nothing was changed. Thanks

valeriiatym avatar Feb 28 '25 12:02 valeriiatym

👋 @valeriiatym

@aibaars 's point here is not about something possibly having changed in between the runs, but to have a single run as source of all different logs (build-tracer.log, debug artifacts, action logs). As we have to deal with different log kinds, if they all are from the same run we can at least track what happens in the different logs looking at the timestamps, so that we can link up events appearing on different logs. If on the other hand we deal with different log kinds coming from different runs, we lose that information, which makes the investigation quite harder. It'd be great if we could get the log and debug artifacts you provided so far, but all coming from the exact same run.

redsun82 avatar Mar 10 '25 09:03 redsun82

Hey @valeriiatym, I wanted to double check on where we are with this issue. Are you able to produce all the logs we need from the single run please? As my colleagues indicated we need to be able to combine between different logs to be able to really understand what the problem is. Combing logs between different runs makes that very difficult and can lead to misdiagnosing the problem.

If the problem no longer exists, please let us know or simply close the ticket.

coadaflorin avatar Mar 31 '25 13:03 coadaflorin

Hey @valeriiatym, I wanted to double check on where we are with this issue. Are you able to produce all the logs we need from the single run please? As my colleagues indicated we need to be able to combine between different logs to be able to really understand what the problem is. Combing logs between different runs makes that very difficult and can lead to misdiagnosing the problem.

If the problem no longer exists, please let us know or simply close the ticket.

Hi, Sorry for the delay. I will send all the required info till the end of this week.

valeriiatym avatar Mar 31 '25 13:03 valeriiatym

As we haven't seen any updates on this ticket I will close it. If anything comes up, please re-open the issue.

coadaflorin avatar Sep 30 '25 13:09 coadaflorin