codeql-action: CodeQL codesign error message

We`re workin on CodeQL Static Application Security Testing (SAST) implementation for a Swift language using GitHub Actions. During this process, I encountered an issue with the CodeQL initialization step when integrating with a Fastlane-based build process.

When including the CodeQL initialization step (github/codeql-action/init@v2) in the GitHub Actions workflow before Fastlane-based build commands, the build job fails with a CodeSign error. The specific error message indicates that the CodeSign command has failed.

Interesting Behavior: if I remove the CodeQL initialization step from the GitHub Actions workflow, the build application process works perfectly without any issues - application builds well.

Error message from console output:

▸ ** ARCHIVE FAILED **
▸ The following build commands failed:
▸ 	CodeSign /Users/runner/Library/Developer/Xcode/DerivedData/APP-amdyapuwajsvoeelnrjmqpntrblu/Build/Intermediates.noindex/ArchiveIntermediates/APP_straging/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/SaleforceNotificationService_staging.appex (in target 'SaleforceNotificationService_staging' from project 'APP')
▸ (1 failure)

From debug logs we got below entries:

/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: warning: changes being made to the file will invalidate the code signature in: /Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.00008433.slice.x86_64
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.00008433.slice.x86_64: replacing existing signature
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: warning: changes being made to the file will invalidate the code signature in: /Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.00008433.slice.arm64
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.00008433.slice.arm64: replacing existing signature
[T 17:01:12 33906] Attempting to switch stdout/stderr to 7...
[T 17:01:12 33908] Attempting to switch stdout/stderr to 7...
[T 17:01:12 33909] Attempting to switch stdout/stderr to 7...
[T 17:01:12 33913] Attempting to switch stdout/stderr to 7...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.145DE1E8.slice.x86_64: replacing existing signature
[T 17:01:12 33914] Attempting to switch stdout/stderr to 7...
[T 17:01:12 33912] Initializing tracer.
[T 17:01:12 33912] Initialising tags...
[T 17:01:12 33912] ID set to 0000000000008478_0000000000000001 (parent 0000000000008433_0000000000000001)
[T 17:01:12 33912] ==== Candidate to intercept: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache (canonical: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache) ====
[T 17:01:12 33912] Executing the following tracer actions:
[T 17:01:12 33912] Tracer actions:
[T 17:01:12 33912] pre_invocations(0)
[T 17:01:12 33912] post_invocations(0)
[T 17:01:12 33912] trace_languages(1): [swift]
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.slice.x86_64: replacing existing signature
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.slice.x86_64: replacing existing signature
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.slice.x86_64: replacing existing signature
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.slice.x86_64: replacing existing signature

Why codeql replace signature and is it the case for failing our scan ?

About this issue

  • Original URL
  • State: open
  • Created 6 months ago
  • Comments: 24 (8 by maintainers)

Most upvoted comments

Following up — yes, Alex had a PR for exactly that in https://github.com/github/semmle-code/pull/48593 but it had to be reverted because it was failing integration tests on SIP-disabled ARM runners. I believe Alex is now working on the (separate) fix behind that issue https://github.com/github/codeql-c-team/issues/2160 and then https://github.com/github/semmle-code/pull/48593 can go in again. So, this issue is blocked on https://github.com/github/codeql-c-team/issues/2160 (correct me if wrong!)

+2
angelapwen on Jan 22, 2024

Let me know if I can assist by testing some release candidate, if at all possible, in our pipelines to see if it resolves it.

+1
jakobholmgrenhiq on Jan 10, 2024

I am running into a similar issue when building with fastlane where my action gets stuck on the codesigning step only when CodeQL is initialized prior to building.

The failing command is the following: set -o pipefail && xcodebuild -workspace ./REDACTED.xcodeproj/project.xcworkspace -scheme REDACTED -configuration QA-Release -destination 'generic/platform=iOS' -archivePath ./build.xcarchive archive | tee /Users/runner/Library/Logs/gym/REDACTED\ QA.log | xcbeautify

In my case, the action gets stuck indefinitely with the last readable output being the following: [13:03:49]: ▸ Signing REDACTED.framework (in target 'REDACTED' from project 'REDACTED')

This step usually completes in seconds but will get stuck until the action times out or is cancelled. This does not happen for the exact same pipeline without CodeQL.

The initialization, build, and analysis steps looks as follows:

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3.22.12
        with:
          languages: swift
          queries: security-and-quality
          tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.15.5/codeql-bundle-osx64.tar.gz

      - name: Build QA
         REDACTED fastlane step

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3.22.12
        with:
          category: "/language:swift"

Runner: macos-13 Xcode-version: 15.0.1

Let me know if there is any additional information I should provide!

+1
jakobholmgrenhiq on Jan 4, 2024

@rnychyporuk-rbi Hopefully https://github.com/github/codeql/pull/15134 will fix the problem.

+1
aibaars on Dec 18, 2023
Read more comments on GitHub
← codeql-action: CodeQL analyze error with exit code 2: running specific queries using a query suite
codeql-action: codeql/upload-sarif@v3 action failed: Resource not accessible by integration - missing `actions: read` →