Files
Netcatty/scripts/afterPackMacUuid.test.cjs
陈大猫 17c8f11194
Some checks failed
build-packages / ${{ needs.dedupe.outputs.skip_heavy_ci == 'true' && 'deduped build-linux-x64' || 'build-linux-x64' }} (push) Has been cancelled
build-packages / ${{ needs.dedupe.outputs.skip_heavy_ci == 'true' && 'deduped build-linux-arm64' || 'build-linux-arm64' }} (push) Has been cancelled
build-packages / release (push) Has been cancelled
build-packages / dedupe push run (push) Has been cancelled
build-packages / dedupe result (push) Has been cancelled
build-packages / resolve bundled mosh-client (push) Has been cancelled
build-packages / resolve bundled et-client (push) Has been cancelled
build-packages / build-macos (push) Has been cancelled
build-packages / build-windows (push) Has been cancelled
build-packages / bump homebrew tap (push) Has been cancelled
Fix macOS package ad-hoc signing (#1433)
2026-06-12 12:36:46 +08:00

160 lines
4.9 KiB
JavaScript

const test = require("node:test");
const assert = require("node:assert/strict");
const {
adHocSignAppBundle,
deriveUuid,
patchMachOBuffer,
} = require("./afterPackMacUuid.cjs");
const LC_UUID = 0x1b;
const LC_OTHER = 0x19;
const MH_MAGIC_64 = 0xfeedfacf;
// Build a minimal thin little-endian 64-bit Mach-O with two load commands:
// one dummy command and one LC_UUID carrying `uuidBytes`.
function buildThinMachO(uuidBytes) {
const header = Buffer.alloc(32);
header.writeUInt32LE(MH_MAGIC_64, 0); // magic
header.writeUInt32LE(0x0100000c, 4); // cputype arm64 (value irrelevant)
header.writeUInt32LE(0, 8); // cpusubtype
header.writeUInt32LE(2, 12); // filetype
header.writeUInt32LE(2, 16); // ncmds
header.writeUInt32LE(16 + 24, 20); // sizeofcmds
header.writeUInt32LE(0, 24); // flags
header.writeUInt32LE(0, 28); // reserved
const dummy = Buffer.alloc(16);
dummy.writeUInt32LE(LC_OTHER, 0); // cmd
dummy.writeUInt32LE(16, 4); // cmdsize
dummy.fill(0xab, 8); // payload sentinel
const uuidCmd = Buffer.alloc(24);
uuidCmd.writeUInt32LE(LC_UUID, 0); // cmd
uuidCmd.writeUInt32LE(24, 4); // cmdsize
uuidBytes.copy(uuidCmd, 8);
return Buffer.concat([header, dummy, uuidCmd]);
}
// Wrap one or more thin slices in a big-endian 32-bit fat binary.
function buildFatMachO(slices) {
const headerSize = 8 + slices.length * 20;
const header = Buffer.alloc(headerSize);
header.writeUInt32BE(0xcafebabe, 0); // FAT_MAGIC
header.writeUInt32BE(slices.length, 4);
let offset = headerSize;
const offsets = [];
for (let i = 0; i < slices.length; i += 1) {
const archOff = 8 + i * 20;
header.writeUInt32BE(0x0100000c, archOff); // cputype
header.writeUInt32BE(0, archOff + 4); // cpusubtype
header.writeUInt32BE(offset, archOff + 8); // offset
header.writeUInt32BE(slices[i].length, archOff + 12); // size
header.writeUInt32BE(0, archOff + 16); // align
offsets.push(offset);
offset += slices[i].length;
}
return Buffer.concat([header, ...slices]);
}
test("deriveUuid is deterministic and 16 bytes", () => {
const a = deriveUuid("com.netcatty.app");
const b = deriveUuid("com.netcatty.app");
assert.equal(a.length, 16);
assert.ok(a.equals(b));
});
test("deriveUuid differs per appId and sets version/variant bits", () => {
const a = deriveUuid("com.netcatty.app");
const b = deriveUuid("com.example.other");
assert.ok(!a.equals(b));
assert.equal(a[6] & 0xf0, 0x50); // version 5
assert.equal(a[8] & 0xc0, 0x80); // RFC 4122 variant
});
test("patchMachOBuffer rewrites LC_UUID in a thin Mach-O and leaves the rest intact", () => {
const original = Buffer.alloc(16, 0x11);
const buf = buildThinMachO(original);
const uuid = deriveUuid("com.netcatty.app");
const { patched, oldUuids } = patchMachOBuffer(buf, uuid);
assert.equal(patched, 1);
assert.equal(oldUuids[0], original.toString("hex"));
// LC_UUID payload is now our derived uuid (uuid command starts at byte 48).
assert.ok(buf.subarray(48 + 8, 48 + 24).equals(uuid));
// Header magic + the dummy command's payload are untouched.
assert.equal(buf.readUInt32LE(0), MH_MAGIC_64);
assert.equal(buf.readUInt32LE(32), LC_OTHER);
assert.ok(buf.subarray(32 + 8, 32 + 16).equals(Buffer.alloc(8, 0xab)));
});
test("patchMachOBuffer patches every slice of a fat binary", () => {
const slice1 = buildThinMachO(Buffer.alloc(16, 0x22));
const slice2 = buildThinMachO(Buffer.alloc(16, 0x33));
const fat = buildFatMachO([slice1, slice2]);
const uuid = deriveUuid("com.netcatty.app");
const { patched } = patchMachOBuffer(fat, uuid);
assert.equal(patched, 2);
});
test("patchMachOBuffer reports zero when there is no LC_UUID", () => {
// A thin Mach-O whose single command is not LC_UUID.
const header = Buffer.alloc(32);
header.writeUInt32LE(MH_MAGIC_64, 0);
header.writeUInt32LE(1, 16); // ncmds
const cmd = Buffer.alloc(16);
cmd.writeUInt32LE(LC_OTHER, 0);
cmd.writeUInt32LE(16, 4);
const buf = Buffer.concat([header, cmd]);
const { patched } = patchMachOBuffer(buf, deriveUuid("com.netcatty.app"));
assert.equal(patched, 0);
});
test("adHocSignAppBundle signs the full app bundle on macOS hosts", () => {
const calls = [];
const didSign = adHocSignAppBundle("/tmp/Netcatty.app", {
hostPlatform: "darwin",
execFileSync: (bin, args, options) => {
calls.push({ bin, args, options });
},
});
assert.equal(didSign, true);
assert.deepEqual(calls, [
{
bin: "codesign",
args: [
"--force",
"--deep",
"--sign",
"-",
"--timestamp=none",
"/tmp/Netcatty.app",
],
options: { stdio: ["ignore", "pipe", "pipe"] },
},
]);
});
test("adHocSignAppBundle skips non-macOS hosts", () => {
let called = false;
const didSign = adHocSignAppBundle("/tmp/Netcatty.app", {
hostPlatform: "linux",
execFileSync: () => {
called = true;
},
});
assert.equal(didSign, false);
assert.equal(called, false);
});