Handle missing macOS bundle executable in executable_hashes table

[dantecatalfamo]

Related issue: Resolves #45327

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

fleetd/orbit/Fleet Desktop

• Verified compatibility with the latest released version of Fleet (see Must rule)
• If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes
• Verified that fleetd runs on macOS, Linux and Windows
• Verified auto-update works from the released version of component to the new version (see tools/tuf/test)

[Copilot]

Pull request overview

This PR prevents Orbit’s macOS executable_hashes osquery table from failing (and aborting the host detail query) when a bundle’s Info.plist declares a CFBundleExecutable that doesn’t actually exist on disk (e.g. some Apple system bundles like XProtect.bundle).

Changes:

• Treat os.Open failures during SHA256 computation as non-fatal by returning an empty hash (and logging) instead of returning an error.
• Add unit tests covering missing bundle executables for exact-path and wildcard queries.
• Add a changelog entry describing the macOS detail query fix.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
orbit/pkg/table/executable_hashes/executable_hashes.go	Changes SHA256 computation to avoid failing the table when the bundle executable can’t be opened.
orbit/pkg/table/executable_hashes/executable_hashes_test.go	Adds regression tests for missing executables (exact path + wildcard batch).
changes/45327-detail-query-error	Adds a release-note entry for the detail query fix.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lucasmrod]

Thanks! I was about to file an issue for this. We have these XProtect error logs all over the place in dogfood.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.20%. Comparing base (9279a99) to head (72825a9).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #47532      +/-   ##
==========================================
+ Coverage   67.18%   67.20%   +0.01%     
==========================================
  Files        3548     3186     -362     
  Lines      228890   228104     -786     
  Branches    11909    11852      -57     
==========================================
- Hits       153782   153286     -496     
+ Misses      61263    60974     -289     
+ Partials    13845    13844       -1     

Flag	Coverage Δ
backend	68.82% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.