How to change epoch for a derivation?

dsalaza4 · May 31, 2024, 2:26am

Hi,

I am currently trying to build a derivation that uses a darwin application (the ones with the .app extension).

The derivation is pretty straightforward:

pkgs.stdenv.mkDerivation {
  name = "cypress";
  unpackPhase = "unzip $src -d $out > /dev/null";
  buildInputs = [pkgs.unzip];
  src = pkgs.fetchurl {
    url = "https://cdn.cypress.io/desktop/13.10.0/darwin-arm64/cypress.zip";
    sha256 = "sha256-mEaNNblRwcmEeQR8VV+0zbRCPtzxxUEyT5ktSg/x6UU=";
  };
}

After building I end up with the following binary:

$ ls -la /nix/store/cr2qvy5zinjlc7h1rfz8m50dav34492v-cypress/Cypress.app/Contents/MacOS/Cypress
-r-xr-xr-x  1 root  wheel  69536 Dec 31  1969 /nix/store/cr2qvy5zinjlc7h1rfz8m50dav34492v-cypress/Cypress.app/Contents/MacOS/Cypress

When I try to execute it on my machine, I am getting the following error:

I suspect this error is caused by the fact that all files within the nix store have a epoch=1, which triggers the OS antivirus.

So here’s the question: Is there a way to make files in the nix store have a different epoch so the darwin antivirus does not trigger when it tries to execute them?

Any extra information on how to build darwin .app packages would be greatly appreciated.

Thanks!

waffle8946 · May 31, 2024, 2:47am

This is by design:

Metadata on files in the Nix store is canonicalised after builds: the last-modified timestamp is set to 0 (00:00:00 1/1/1970), the mode is set to 0444 or 0555 (readable and possibly executable by all; setuid/setgid bits are dropped), and the group is set to the default. This ensures that the result of a build and an installation through a substitute is the same; and that timestamp dependencies are revealed.

dsalaza4 · May 31, 2024, 4:28pm

@waffle8946 Thank you!

I will investigate ways of disabling the darwin antivirus for the /nix/store path.