syncthing: apply autoSignDarwinBinariesHook

Somewhere between macOS 13.0.1 and 13.2.1, launchd started rejecting
binaries that aren't signed in Launch Agents/Daemons. This is the case
even on x86 devices, which has a more lax code signing policy compared
to Apple Silicon. This change signs Syncthing binaries so that it can be
auto-started at login by launchd.

1 files changed, 19 insertions, 1 deletions

diff --git a/pkgs/applications/networking/syncthing/default.nix b/pkgs/applications/networking/syncthing/default.nix
index 952851b08dbac..0ddf1fc8f9ccc 100644
--- a/pkgs/applications/networking/syncthing/default.nix
+++ b/pkgs/applications/networking/syncthing/default.nix
@@ -1,4 +1,13 @@
-{ pkgsBuildBuild, go, buildGoModule, stdenv, lib, procps, fetchFromGitHub, nixosTests }:
+{ pkgsBuildBuild
+, go
+, buildGoModule
+, stdenv
+, lib
+, procps
+, fetchFromGitHub
+, nixosTests
+, autoSignDarwinBinariesHook
+}:
 
 let
   common = { stname, target, postInstall ? "" }:
@@ -15,6 +24,15 @@ let
 
       vendorHash = "sha256-5NgflkRXkbWiIkASmxIgWliE8sF89HtlMtlIF+5u6Ic=";
 
+      nativeBuildInputs = lib.optionals stdenv.isDarwin [
+        # Recent versions of macOS seem to require binaries to be signed when
+        # run from Launch Agents/Daemons, even on x86 devices where it has a
+        # more lax code signing policy compared to Apple Silicon. So just sign
+        # the binaries on both architectures to make it possible for launchd to
+        # auto-start Syncthing at login.
+        autoSignDarwinBinariesHook
+      ];
+
       doCheck = false;
 
       BUILD_USER = "nix";