-
Notifications
You must be signed in to change notification settings - Fork 328
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeQL codesign error message #2043
Comments
CodeQL traces the build process to figure out how source files are compiled and against which libraries/header files etc. To do this it uses the DYLD_INSERT_LIBRARIES environment variable to inject the CodeQL tracer into the running build process. On macOS the use of The lines from the build-tracer.log above show that the CodeQL tracer is re-signing In the mean time, could you try disabling CodeSigning for your build? CodeQL analysis only needs to intercept compiler processes, steps like packaging and signing are not important for the CodeQL scan. |
@rnychyporuk-rbi Hopefully github/codeql#15134 will fix the problem. |
This will be fixed in CodeQL 2.15.5. |
Thank you @adityasharad .
|
Have you tried the |
I am running into a similar issue when building with fastlane where my action gets stuck on the codesigning step only when CodeQL is initialized prior to building. The failing command is the following: In my case, the action gets stuck indefinitely with the last readable output being the following: This step usually completes in seconds but will get stuck until the action times out or is cancelled. This does not happen for the exact same pipeline without CodeQL. The initialization, build, and analysis steps looks as follows:
Runner: macos-13 Let me know if there is any additional information I should provide! |
@jakobholmgrenhiq Thanks for the detailed report! Could you try re-running the workflow with debug logging enabled? In that case the codeql-action uploads a debug artifact. The debug artifact contains a file @AlexDenisov FYI |
First match is unique:
Rest looks as follows with slight variations:
Let me know if you want me to attach more complete logs. |
Thanks! @AlexDenisov I see that tracing is disabled after intercepting |
Is there any downside to adding the fix from github/codeql@6cbf8ab to all traced languages? If not we can try that out and see how it goes. |
Let me know if I can assist by testing some release candidate, if at all possible, in our pipelines to see if it resolves it. |
I'm afraid that the above fix doesn't actually work. Even with |
Any ideas on other ways we can solve this? Perhaps we can special-case codesign so that it's not even relocated? |
Following up — yes, Alex had a PR for exactly that in https://github.com/github/semmle-code/pull/48593 but it had to be reverted because it was failing integration tests on SIP-disabled ARM runners. I believe Alex is now working on the (separate) fix behind that issue https://github.com/github/codeql-c-team/issues/2160 and then https://github.com/github/semmle-code/pull/48593 can go in again. So, this issue is blocked on https://github.com/github/codeql-c-team/issues/2160 (correct me if wrong!) |
Sorry to bump this if it is still blocked on another issue (which I sadly cant check before posting as it is internal). Do you have any estimates on when we can see this resolved? |
No worries asking for an update. We are actively working on a fix. I can't make any promises on when it will be released. We will have more clarity next week as we collect more data. |
This fix is unlikely to make it into the next CodeQL release 2.16.2, which is expected this week. |
We are still receiving the same issue with "replacing existing signature" using CodeQL 2.16.3:
Could you notify me about the progress, and when it might be fixed? |
This appears to be a different problem. Previously, the error was with the Can you share more of your log that has the error message? |
Here is the whole log file:
We are receving such error in the action:
|
That log looks really short . I don't see any mention of the @AlexDenisov What do you think? |
Hey guys. Do we have any updates o this? |
As @aibaars points out, it's weird that the log terminates mentioning a Are you using default setup or the |
Let me know if I can provide any additional information to help progress this issue. |
Hi @aeisenberg @redsun82 , I an having a similar issue where the fastlane will build successfully without CodeQL, but when CodeQL steps are added - the build fails. |
@ls-valentinas-bakaitis, can you please create a new issue for this? This issue has gotten a bit convoluted and it's no longer clear what each new report is. In this new issue, please include your logs (especially the tracer logs, redacted is 👍) and your workflow file. |
@aeisenberg I have submitted a new issue here: #2347 |
We`re workin on CodeQL Static Application Security Testing (SAST) implementation for a Swift language using GitHub Actions. During this process, I encountered an issue with the CodeQL initialization step when integrating with a Fastlane-based build process.
When including the CodeQL initialization step (github/codeql-action/init@v2) in the GitHub Actions workflow before Fastlane-based build commands, the build job fails with a CodeSign error. The specific error message indicates that the CodeSign command has failed.
Interesting Behavior: if I remove the CodeQL initialization step from the GitHub Actions workflow, the build application process works perfectly without any issues - application builds well.
Error message from console output:
From debug logs we got below entries:
Why codeql replace signature and is it the case for failing our scan ?
The text was updated successfully, but these errors were encountered: