fix: libiconv.dylib issue on previous macOS

See #3263.

See <https://forum.cardano.org/t/daedalus-version-7-not-opening-on-mac-mac-os-x-10-15-7-after-install/141116>.

Author: michalrus

installers/codesign.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -x
+SIGN_ID="$1"
+KEYCHAIN="$2"
+REL_PATH="$3"
+XML_PATH="$4"
+ABS_PATH="$(pwd)/$REL_PATH"
+TS="$(date +%Y-%m-%d_%H-%M-%S)"
+function sign_cmd() {
+  for targetFile in "$@" ; do
+    codesign --force --verbose=4 --deep --strict --timestamp --options=runtime --entitlements $XML_PATH --sign "$SIGN_ID" "$targetFile" 2>&1 | tee -a /tmp/codesign-output-${TS}.txt
+  done
+}
+VERIFY_CMD="codesign --verbose=4 --verify --deep --strict"
+ENTITLEMENT_CMD="codesign -d --entitlements :-"
+LOG="2>&1 | tee -a /tmp/codesign-output-${TS}.txt"
+
+# Remove symlinks pointing outside of the project build folder:
+rm -f "$ABS_PATH/Contents/Resources/app/result"
+
+# Ensure the code signing identity is found and set the keychain search path:
+eval "security show-keychain-info \"$KEYCHAIN\" $LOG"
+eval "security find-identity -v -p codesigning \"$KEYCHAIN\" $LOG"
+eval "security list-keychains -d user -s \"$KEYCHAIN\" $LOG"
+
+# Sign framework executables not signed by the deep sign command:
+sign_cmd "$ABS_PATH/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/Current/Resources/crashpad_handler"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/Current/Libraries/libnode.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/Current/Libraries/libffmpeg.dylib"
+
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib"
+
+# Sign the whole component deeply
+sign_cmd "$ABS_PATH"
+
+# Verify the signing
+eval "$VERIFY_CMD \"$ABS_PATH\" $LOG"
+eval "$VERIFY_CMD --display -r- \"$ABS_PATH\"" "$LOG"
+eval "$ENTITLEMENT_CMD \"$ABS_PATH\"" "$LOG"
+set +x

installers/entitlements.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+  </dict>
+</plist>

nix/internal/any-darwin.nix

@@ -10,7 +10,7 @@ let
   inherit (pkgs) lib;
 
   inherit (common)
-    daedalus-bridge daedalus-installer launcherConfigs mock-token-metadata-server
+    launcherConfigs mock-token-metadata-server
     cardanoNodeVersion cardanoWalletVersion;
 
   inherit (common) originalPackageJson electronVersion electronChromedriverVersion commonSources;
@@ -107,19 +107,100 @@ in rec {
 
   darwin-launcher = pkgs.callPackage ./darwin-launcher.nix {};
 
+  # TODO: don’t use cardano-bridge.nix
+
+  # TODO: compare runtime-nodejs-deps.json with Linux and Windows, and re-use it there
+
+  # TODO: remove MacInstaller.hs
+
+  nix-bundle-exe-same-dir = pkgs.runCommand "nix-bundle-exe-same-dir" {} ''
+    cp -R ${inputs.nix-bundle-exe} $out
+    chmod -R +w $out
+    sed -r 's+@executable_path/\$relative_bin_to_lib/\$lib_dir+@executable_path+g' -i $out/bundle-macos.sh
+  '';
+
+  mkBundle = exes: let
+    unbundled = pkgs.linkFarm "exes" (lib.mapAttrsToList (name: path: {
+      name = "bin/" + name;
+      inherit path;
+    }) exes);
+  in (import nix-bundle-exe-same-dir {
+    inherit pkgs;
+    bin_dir = "bundle";
+    exe_dir = "_unused_";
+    lib_dir = "bundle";
+  } unbundled).overrideAttrs (drv: {
+      buildCommand = (
+        builtins.replaceStrings
+          ["'${unbundled}/bin'"]
+          ["'${unbundled}/bin' -follow"]
+          drv.buildCommand
+      ) + ''
+        mv $out/bundle/* $out/
+        rmdir $out/bundle
+      '';
+  });
+
+  # XXX: cardano-launcher cannot be a symlink, because it looks at its own
+  # `realpath` to determine DAEDALUS_INSTALL_DIRECTORY:
+  bundle-cardano-launcher = (mkBundle {
+    "cardano-launcher" = common.cardano-shell.haskellPackages.cardano-launcher.components.exes.cardano-launcher + "/bin/cardano-launcher";
+  }).overrideAttrs (drv: {
+    buildCommand = let exeName = "cardano-launcher"; in drv.buildCommand + ''
+      (
+        cd $out
+        mkdir -p bundle-${exeName}
+        mv *.dylib bundle-${exeName}/
+        otool -L ${exeName} \
+          | grep -E '^\s*@executable_path' \
+          | sed -r 's/^\s*//g ; s/ \(.*//g' \
+          | while IFS= read -r lib ; do
+          install_name_tool -change "$lib" "$(sed <<<"$lib" -r 's,@executable_path/,@executable_path/bundle-${exeName}/,g')" ${exeName}
+        done
+      )
+    '';
+  });
+
+  bundle-cardano-node     = mkBundle { "cardano-node"     = lib.getExe common.cardano-node; };
+  bundle-cardano-cli      = mkBundle { "cardano-cli"      = lib.getExe common.cardano-cli; };
+  bundle-cardano-address  = mkBundle { "cardano-address"  = lib.getExe common.cardano-address; };
+  bundle-cardano-wallet   = pkgs.runCommandNoCC "bundle-cardano-wallet" {} ''cp -r ${common.cardano-wallet}/bin $out'';  # upstream bundles it
+  bundle-mock-token-metadata-server = mkBundle { "mock-token-metadata-server"  = lib.getExe common.mock-token-metadata-server; };
+  bundle-local-cluster              = mkBundle { "local-cluster"               = lib.getExe common.walletPackages.local-cluster; };
+
+  # HID.node and others depend on `/nix/store`, we have to bundle them, too:
+  bundleNodeJsNativeModule = pkgs.writeShellScript "bundleNodeJsNativeModule" ''
+    #!/usr/bin/env bash
+    set -euo pipefail
+    target="$1"
+    export bin_dir="bundle"
+    export exe_dir="_unused_"
+    export lib_dir="bundle"
+    export PATH=${lib.makeBinPath (with pkgs; [ darwin.cctools darwin.binutils darwin.sigtool nukeReferences ])}:"$PATH"
+    tmpdir=$(mktemp -d)
+    cp ${nix-bundle-exe-same-dir}/bundle-macos.sh "$tmpdir"/
+    chmod -R +w "$tmpdir"
+    sed -r 's/@executable_path/@loader_path/g' -i "$tmpdir"/bundle-macos.sh
+    bash "$tmpdir"/bundle-macos.sh "$tmpdir" "$target"
+    rm "$tmpdir"/bundle-macos.sh
+    mv "$tmpdir/bundle" "$(dirname "$target")/bundle-$(basename "$target")"
+    rmdir "$tmpdir"
+    rm "$target"
+    ln -s "bundle-$(basename "$target")/$(basename "$target")" "$target"
+  '';
+
   package = genClusters (cluster: let
     pname = "daedalus";
   in pkgs.stdenv.mkDerivation {
     name = pname;
     src = srcWithoutNix;
-    nativeBuildInputs = [ yarn nodejs daedalus-installer ]
-      ++ (with pkgs; [ python3 perl pkgconfig darwin.cctools xcbuild ]);
+    nativeBuildInputs = [ yarn nodejs ]
+      ++ (with pkgs; [ python3 perl pkgconfig darwin.cctools xcbuild jq ]);
     buildInputs = (with pkgs.darwin; [
       apple_sdk.frameworks.CoreServices
       apple_sdk.frameworks.AppKit
       libobjc
     ]) ++ [
-      daedalus-bridge.${cluster}
       darwin-launcher
       mock-token-metadata-server
     ];
@@ -141,21 +222,103 @@ in rec {
 
       ${common.temporaryNodeModulesPatches}
 
-      export DEVX_FIXME_DONT_YARN_INSTALL=1
       (
         cd installers/
         cp -r ${launcherConfigs.${cluster}.configFiles}/. ./.
 
-        # make-installer needs to see `bin/nix-store` to break all references to dylibs inside /nix/store:
-        export PATH="${lib.makeBinPath [ pkgs.nixUnstable ]}:$PATH"
+        echo "Creating icons ..."
+        /usr/bin/iconutil --convert icns --output icons/electron.icns "icons/${cluster}.iconset"
+      )
+
+      mkdir -p release
+      echo "Installing nodejs dependencies..."
+      echo "Running electron packager script..."
+      export "NODE_ENV" "production"
+      yarn build:electron
+      yarn run package -- --name ${lib.escapeShellArg common.launcherConfigs.${cluster}.installerConfig.spacedName}
+      echo "Size of Electron app is $(du -sh release)"
+      find -name '*.node'
+
+      pathtoapp=release/darwin-${archSuffix}/${lib.escapeShellArg launcherConfigs.${cluster}.installerConfig.spacedName}-darwin-${archSuffix}/${lib.escapeShellArg launcherConfigs.${cluster}.installerConfig.spacedName}.app
+      mkdir -p "$pathtoapp"/Contents/Resources/app/node_modules
+      jq -r '.[]' ${./runtime-nodejs-deps.json} | sed -r 's,^,node_modules/,' | xargs -d '\n' cp -r -t "$pathtoapp"/Contents/Resources/app/node_modules/
+
+      mkdir -p "$pathtoapp"/Contents/Resources/app/build
+
+      for f in \
+        "usb/build/Release/usb_bindings.node" \
+        "node-hid/build/Release/HID.node" \
+        "usb-detection/build/Release/detection.node" \
+        ; do
+        cp node_modules/"$f" "$pathtoapp"/Contents/Resources/app/build/
+      done
+
+      jq --arg name "xxx" '.productName = $name' "$pathtoapp/Contents/Resources/app/package.json" >tmp-package.json
+      mv tmp-package.json "$pathtoapp/Contents/Resources/app/package.json"
+
+      dir="$pathtoapp/Contents/MacOS"
+      dataDir="$pathtoapp/Contents/Resources"
+
+      mkdir -p "$dir" "$dataDir"
+
+      echo "Preparing files ..."
+      cp installers/launcher-config.yaml "$dataDir"/
+
+      cp -r ${bundle-cardano-launcher}/. "$dir"/
+
+      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (exe: bundle: ''
+        cp -r ${bundle} "$dir"/bundle-${exe}
+        ln -s bundle-${exe}/${exe} "$dir"/${exe}
+      '') ({
+        "cardano-node" = bundle-cardano-node;
+        "cardano-cli" = bundle-cardano-cli;
+        "cardano-address" = bundle-cardano-address;
+        "cardano-wallet" = bundle-cardano-wallet;
+      } // (lib.optionalAttrs (cluster == "selfnode") {
+        "mock-token-metadata-server" = bundle-mock-token-metadata-server;
+        "local-cluster" = bundle-local-cluster;
+      })))}
+
+      cp installers/{config.yaml,genesis.json,topology.yaml} "$dataDir"/
+      ${if (cluster != "selfnode") then ''
+        cp installers/{genesis-byron.json,genesis-shelley.json,genesis-alonzo.json} "$dataDir"/
+        cp installers/genesis-conway.json "$dataDir"/ || true
+      '' else ''
+        cp installers/{signing.key,delegation.cert} "$dataDir"/
+        cp -f ${./../../utils/cardano/selfnode}/token-metadata.json "$dir"/
+      ''}
+
+      chmod -R +w "$dir"
+      rm -r "$dataDir/app/installers"
+
+      for f in "usb_bindings.node" "detection.node" "HID.node" ; do
+        (
+          cd "$dataDir"/app/build/
+          mv "$f" ../../../MacOS/"$f"
+          # TODO: why is/was this "reverse" symlink needed? does it make sense?
+          ln -s   ../../../MacOS/"$f" ./
+        )
+        ${bundleNodeJsNativeModule} "$dir/$f"
+      done
 
-        make-installer --cardano ${daedalus-bridge.${cluster}} \
-          --build-rev-short ${sourceLib.buildRevShort} \
-          --build-counter ${toString sourceLib.buildCounter} \
-          --cluster ${cluster} \
-          --out-dir doesnt-matter \
-          --dont-pkgbuild
+      # TODO: why is/was this "reverse" symlink needed? does it make sense?
+      (
+        cd "$dataDir"/app/node_modules/usb-detection/build/Release/
+        rm detection.node
+        ln -sfn ../../../../../../MacOS/detection.node
       )
+
+      mv "$dir"/${lib.escapeShellArg launcherConfigs.${cluster}.installerConfig.spacedName} "$dir"/Frontend
+      chmod +x "$dir"/Frontend
+
+      cat ${pkgs.writeText "helper" ''
+        #!/usr/bin/env bash
+        mkdir -p "${launcherConfigs.${cluster}.installerConfig.dataDir}/Secrets-1.0"
+        mkdir -p "${launcherConfigs.${cluster}.installerConfig.dataDir}/Logs/pub"
+      ''} >"$dataDir"/helper
+      chmod +x "$dataDir"/helper
+
+      cp ${darwin-launcher}/bin/darwin-launcher "$dir"/${lib.escapeShellArg launcherConfigs.${cluster}.installerConfig.spacedName}
     '';
     installPhase = ''
       mkdir -p $out/Applications/

nix/internal/runtime-nodejs-deps.json

@@ -0,0 +1,109 @@
+[
+  "@babel",
+  "@emurgo",
+  "@fivebinaries",
+  "@noble",
+  "@protobufjs",
+  "@sinclair",
+  "@trezor",
+  "agent-base",
+  "babel-runtime",
+  "base-x",
+  "base64-js",
+  "bchaddrjs",
+  "bech32",
+  "big-integer",
+  "bignumber.js",
+  "bindings",
+  "bip66",
+  "bitcoin-ops",
+  "blake-hash",
+  "blake2b",
+  "blake2b-wasm",
+  "bn.js",
+  "brorand",
+  "brotli",
+  "bs58",
+  "bs58check",
+  "buffer",
+  "bytebuffer",
+  "call-bind",
+  "cashaddrjs",
+  "clone",
+  "create-hash",
+  "create-hmac",
+  "cross-fetch",
+  "debug",
+  "decimal.js",
+  "deep-equal",
+  "define-properties",
+  "dfa",
+  "elliptic",
+  "es-abstract",
+  "eventemitter2",
+  "file-uri-to-path",
+  "fontkit",
+  "function-bind",
+  "functions-have-names",
+  "get-intrinsic",
+  "has",
+  "has-property-descriptors",
+  "has-symbols",
+  "has-tostringtag",
+  "hash.js",
+  "hmac-drbg",
+  "ieee754",
+  "inherits",
+  "int64-buffer",
+  "ip",
+  "is-arguments",
+  "is-date-object",
+  "is-regex",
+  "js-chain-libs-node",
+  "json-stable-stringify",
+  "jsonschema",
+  "linebreak",
+  "lodash",
+  "long",
+  "minimalistic-assert",
+  "minimalistic-crypto-utils",
+  "ms",
+  "nanoassert",
+  "node-fetch",
+  "node-hid",
+  "object-is",
+  "object-keys",
+  "object.values",
+  "pdfkit",
+  "png-js",
+  "protobufjs",
+  "pushdata-bitcoin",
+  "randombytes",
+  "regenerator-runtime",
+  "regexp.prototype.flags",
+  "restructure",
+  "ripple-address-codec",
+  "ripple-binary-codec",
+  "ripple-keypairs",
+  "ripple-lib",
+  "ripple-lib-transactionparser",
+  "safe-buffer",
+  "semver-compare",
+  "smart-buffer",
+  "socks",
+  "socks-proxy-agent",
+  "tiny-inflate",
+  "tiny-secp256k1",
+  "tr46",
+  "ts-mixer",
+  "tslib",
+  "typeforce",
+  "unicode-properties",
+  "unicode-trie",
+  "usb",
+  "usb-detection",
+  "util-deprecate",
+  "varuint-bitcoin",
+  "whatwg-url",
+  "wif"
+]