[Auditor] Use ldid_jll to avoid calling the executable inside the sandbox

Author: giordano

Project.toml

@@ -31,6 +31,7 @@ Sockets = "6462fe0b-24de-5631-8697-dd941f90decc"
 TOML = "fa267f1f-6049-4f14-aa54-33bafae1ed76"
 UUIDs = "cf7118a7-6976-5b1a-9a39-7adc72f591a4"
 ghr_jll = "07c12ed4-43bc-5495-8a2a-d5838ef8d533"
+ldid_jll = "df1af0dd-2f85-5d2f-b099-55d224f7db60"
 
 [compat]
 ArgParse = "1.1"
@@ -52,6 +53,7 @@ SHA = "0.7, 1"
 Scratch = "1.0"
 TOML = "1"
 ghr_jll = "0.13, 0.14, 0.17"
+ldid_jll = "2.1"
 julia = "1.7"
 
 [extras]

src/auditor/codesigning.jl

@@ -1,12 +1,12 @@
+using ldid_jll: ldid
+
 function check_codesigned(path::AbstractString, platform::AbstractPlatform)
     # We only perform ad-hoc codesigning on Apple platforms
     if !Sys.isapple(platform)
         return true
     end
 
-    ur = preferred_runner()(dirname(path); cwd="/workspace/", platform=platform)
-    # TODO: can we run directly `ldid` with the JLL without entering the sandbox?
-    return run(ur, `/usr/local/bin/ldid -d $(basename(path))`)
+    return run(`$(ldid()) -d $(basename(path))`)
 end
 
 function ensure_codesigned(path::AbstractString, prefix::Prefix, platform::AbstractPlatform;
@@ -16,10 +16,7 @@ function ensure_codesigned(path::AbstractString, prefix::Prefix, platform::Abstr
         return true
     end
 
-    rel_path = relpath(path, prefix.path)
-    ur = preferred_runner()(prefix.path; cwd="/workspace/", platform=platform)
-    with_logfile(prefix, "ldid_$(basename(rel_path)).log"; subdir) do io
-        # TODO: can we run directly `ldid` with the JLL without entering the sandbox?
-        @lock AUDITOR_SANDBOX_LOCK run(ur, `/usr/local/bin/ldid -S -d $(rel_path)`, io; verbose=verbose)
+    with_logfile(prefix, "ldid_$(basename(path)).log"; subdir) do io
+        run(pipeline(`$(ldid()) -S -d $(path)`; stdout=io, stderr=io))
     end
 end