inscrutable rules for disallowing binaries on a new Apple Silicon (Big Sur) machine [closed]

Solution 1:

All binaries run on M1 need to be code signed. It can be an ad-hoc signature, and the first party toolchain will perform the necessary step, but other tools may not.

the operating system will enforce that any executable must be signed with a valid signature before it’s allowed to run. There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker.

This new policy doesn’t apply to translated x86 binaries running under Rosetta, nor does it apply to macOS 11 running on Intel platforms.

https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11-universal-apps-beta-release-notes

You can apply a signature on a binary with codesign using -s (sign):

codesign -s - /path/to/binary

You can see whether a binary has a code signature using -d (display contents):

codesign -dv /path/to/binary

The diff tool won't display any difference since the files are identical, but the signature will mean the binary runs.

$ echo foo > a
$ echo foo > b

$ codesign -dv a
a: code object is not signed at all
$ codesign -dv b
b: code object is not signed at all

$ codesign -s - a
$ codesign -dv a
Executable=/Users/user/a
Identifier=a-f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
Format=generic
CodeDirectory v=20100 size=187 flags=0x2(adhoc) hashes=1+2 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

$ diff a b
$ echo $?
0