Post

Replies

Boosts

Views

Activity

Disable code signature verifications completely during regression testing
I work on an open source compiler. We have a testsuite of about 5000 command line programs that get compiled, of which about 4000 are also run to check their exit code. On ARM64, all binaries are automatically codesigned using an ad hoc signature by the linker (ld). On my DTK, as a result running our testsuite takes forever: 1) if there is a network connection, it's extremely slow because for every started binary, a connection is made to Apple's certificate servers to verify that the root hasn't been revoked. This seems to happen serialised, because even when compiling/running 8 tests in parallel, XprotectService is using 30% cpu, syspolicyd uses 20% cpu, and about 85% of the system is idle (all according to top). 2) if there is no network connection, it is slightly faster, but then XprotectService is using 100% cpu, syspolicyd 85-100%, trustd 36%, and tccd 23%. And there's still 10-20% idle, so it still seems to happen all serially (although doing it in parallel would not help much here, given that only 20% cpu time is left). "sudo spctl --master-disable" does not help with this. So my question is: is there a way to completely disable all of this code signature and malware checking, at the very least for binaries that have just been compiled and linked with an ad hoc signature on the very same system that is now checking them? Thanks.
2
0
5.8k
Feb ’21