[cfarm-users] New Apple Mac M1 machine (gcc304)

Jonas Maebe j-gccfarm at watlock.be
Wed Mar 24 15:48:44 CET 2021


On 23/03/2021 01:31, Assaf Gordon via cfarm-users wrote:
> - will it compromise SIP (
> https://en.wikipedia.org/wiki/System_Integrity_Protection ) ?

Note that keeping SIP enabled completely decimates compiler regression
testing performance, because it means that every time you execute a
compiled binary for the first time,
1) it gets checked for malware (XprotectService)
2) its code signature gets checked (syspolicyd, trustd, tccd) [1]

Both 1) and 2) happen in single-threaded processes that handle only a
single binary at a time. Moreover, if a network connection is available,
checking a code signature involves checking with Apple's root
certificate servers (to verify that the used certificate has not been
revoked) [2]. The combination of these points is that the system spends
way more time checking for malware and verifying certificates than
executing test programs.

See https://developer.apple.com/forums/thread/673057 for some more details.


Jonas

[1] On macOS/ARM64, all binaries must have a code signature. If you
don't specify a signing certificate, the linker adds one anyway using a
dummy certificate that's local to the current machine, but even these
dummy signatures get verified.

[2]
https://arstechnica.com/gadgets/2020/11/mac-certificate-check-stokes-fears-apple-logs-every-app-you-run/


More information about the cfarm-users mailing list