Search code examples
mpicode-signingosx-elcapitanopenmpi

Codesigning a program that runs with MPI

I'm developing some code which I run on OSX with the mpirun command. Every time I compile my code, the execution afterwards opens a bunch of popup dialogs asking for accepting or refusing incoming connections. There are as many popups as MPI ranks I am using. For example, if I run

mpirun -np 4 myprogram

then I obtain 4 popups.

I know I am supposed to codesign something to prevent the firewall to open these popups, so I tried the following commands:

sudo codesign --force --deep --sign - /opt/local/libexec/openmpi-gcc48/orterun
sudo codesign --force --deep --sign - /opt/local/bin/mpi*

Note that my installation of OpenMPI is in /opt/local. Unfortunately, this did not work.

What should I codesign in order to prevent the firewall to show these popups ?

Solution

  • I believe that one reason to why the pop-ups still appear even after using codesign is that you are doing an ad-hoc signing. As stated in codesign:

    Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. Significant restrictions apply to the use of ad-hoc signed code; consult documentation before using this.

    Instead I believe you should create a certificate as in the link provided in a comment by @alfC. In this SO post: What are the ways or technologies to sign an executable application file in mac os x environment?

    Furthermore I also think that you need to sign the related processes when you are running mpirun meaning that you need to sign

    (1) sudo codesign --force --deep --sign "<your certificate>" /opt/local/libexec/openmpi-gcc48/orterun
    (2) sudo codesign --force --deep --sign "<your certificate>" /opt/local/libexec/openmpi-gcc48/orted
    (3) sudo codesign --force --deep --sign "<your certificate>" /opt/local/bin/mpirun
    (4) sudo codesign --force --deep --sign "<your certificate>" /path/to/your/executable

    If things are still not working you can further debug your issue by looking at the log or inspecting your executable (see below).

    Logging
    log show --predicate 'eventMessage contains "codesign"' --info
    (More information in an SO post: Can you use macOS "log stream" or "log show" to get messages from connected iOS devices?)

    Inspecting
    codesign -dv --verbose=4 /path/to/your/executable
    spctl --assess --verbose /path/to/your/executable

    If you want to read more in-depth how there is a difference between ad-hoc signing and using a certificate there is a post on stackexchange discussing the limit of ad-hoc signing: https://apple.stackexchange.com/questions/288291/what-are-the-restrictions-of-ad-hoc-code-signing which is referring to macOS Code signing in depth