Add macOS Gatekeeper/notarization support

[rebron]

Description

See: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution

"Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. Beginning in macOS 10.15, notarization is required by default for all software."

Users will be prompted to install and run Brave through several prompts without notarization.

Steps to Reproduce

1. Prompts are reproducible on macOS Catalina 10.15 by downloading any version of Brave, installing, and running.
2. Need to go into Systems Preferences -> Security and Privacy "Allow Apps downloaded from:" and allow twice; once for installing and a second time to run.

[LaurenWags]

+1 from https://twitter.com/Pierr0t/status/1147140386785284101

[mihaiplesa]

Added this 1mo ago https://github.com/brave/devops/issues/1187

[LaurenWags]

+1 from https://community.brave.com/t/brave-browser-cannot-be-opened-on-macos-catalina-because-its-not-signed/71017

[mbacchi]

Here are the tasks I've identified for this:

• Verify we meet the requirements in the documentation section 'Prepare Your Software for Notarization'

  • Enable code-signing for all of the executables you distribute.
  • Enable the Hardened Runtime capability for your app and command line targets, as described in Enable hardened runtime.
  • Use a “Developer ID” application, kernel extension, or installer certificate for your code-signing signature. (Don't use a Mac Distribution or local development certificate.) For more information, see Create, export, and delete signing certificates.
  • Include a secure timestamp with your code-signing signature. (The Xcode distribution workflow includes a secure timestamp by default. For custom workflows, include the --timestamp option when running the codesign tool.)
  • Don’t include the com.apple.security.get-task-allow entitlement with the value set to any variation of true. If your software hosts third-party plug-ins and needs this entitlement to debug the plug-in in the context of a host executable, see Avoid the Get-Task-Allow Entitlement.
  • Link against the macOS 10.9 or later SDK.

• Identify if we require 2 rounds of notarization

  • Determine if our .pkg packages qualify for the 2 rounds of notarization described here: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow
    • "If you distribute your software via a custom third-party installer, you need two rounds of notarization."

• Notarize pre-existing software

  • Apple recommends that you notarize all of the software that you’ve distributed, including older releases, and even software that doesn’t meet all of these requirements or that is unsigned. Apple’s notary service uses a variety of methods, including telemetry, to determine which of the above rules to relax for preexisting software. For more information, see Notarize Your Preexisting Software.
  • Determine how many older versions to notarize, as we need the .app files in order to perform notarization. Therefore the versions we want to notarize will require that we rebuild them prior to notarization.

• Perform xcode notarization during official builds

  • write script or leverage another tool to perform signing in our build process
  • add flag to skip notarization in CI builds (like we do for signing)

[mihaiplesa]

Good plan right there. Don't think we'll go back to notarize old versions. Maybe we can try some stuff manually to get a taste. Glad we already migrated all nodes to Xcode 10.

[mihaiplesa]

Just a reminder that the current Catalina version is Beta 6 and GA should be in Q3, most probably September.

[mbacchi]

I just noticed there is a chromium python script to notarize: https://chromium.googlesource.com/chromium/src.git/+/master/chrome/installer/mac/notarize_thing.py

And also:
https://chromium.googlesource.com/chromium/src.git/+/master/chrome/installer/mac/signing/notarize.py

[LaurenWags]

+1 from https://community.brave.com/t/unable-to-install-brave-browser-with-ios-10-15-beta/72028

[mbacchi]

Making some progress, I've gotten the notarization step automated now(opened PR 3064 and PR 5485), but that uncovered a few binaries that are not signed:

brave/Sparkle#7

Those sparkle binaries are likely only the tip of the iceberg. When I notarized manually, I had to go through 3 iterations of codesigning binaries manually. Additional binaries were not listed as unsigned until I signed the binaries that were listed, then tried notarizing again. From my notes (some but not all of the) additional binaries are:

• "Brave Browser Dev.app/Contents/Frameworks/Brave Browser Dev Framework.framework/Versions/75.0.68.104/Brave Browser Dev Framework"
• "Brave Browser Dev.app/Contents/MacOS/Brave Browser Dev"

[mbacchi]

FYI I wanted to document that we're waiting on the Sparkle release here for the capability to sign with the hardened runtime option for sparkle artifacts.

[mbacchi]

I opened #6572 to cover the Sparkle upgrade and signing some Sparkle binaries in order to split it out as a separate issue, as discussed with @bsclifton.

[kjozwiak]

Verification PASSED on macOS 10.15.1 x64 using the following build:

Brave	0.71.111 Chromium: 78.0.3904.87 (Official Build) (64-bit)
Revision	20c21f4010010f32462ea8e1d6af30cef66d48c8-refs/branch-heads/3904@{#840}
OS	macOS Version 10.15.1 (Build 19B88)

• installed 0.71.111 CR: 78.0.3904.87 via the dmg & pkg and ran spctl --assess --verbose /Applications/Brave\ Browser.app/:

Kamils-MBP:~ kjozwiak$ spctl --assess --verbose /Applications/Brave\ Browser.app/
/Applications/Brave Browser.app/: accepted
source=Notarized Developer ID

• ensured that you can install 0.71.111 CR: 78.0.3904.87 using both dmg and pkg
• ensured that you can close/restart 0.71.111 CR: 78.0.3904.87 without any issues once installed
• ensured that the following error isn't being displayed when launching 0.71.111 CR: 78.0.3904.87 using both the dmg & pkg:

• ensured that launching 0.71.111 CR: 78.0.3904.87 via the dmg only displayed the following warning:

I also went through referrals using the following codes and ensured the following:

• Brave-Browser-KAM582.pkg

  • ensured that ~/Library/Application\ Support/BraveSoftware/Brave-Browser/promoCode was created and included KAM582
  • ensured that promoCode was removed once 0.71.111 CR: 78.0.3904.87 is launched
  • ensured that brave://local-state lists "promo_code": "KAM582"

• Brave-Browser-RED194.pkg

  • ensured that ~/Library/Application\ Support/BraveSoftware/Brave-Browser/promoCode was created and included RED194
  • ensured that promoCode was removed once 0.71.111 CR: 78.0.3904.87 is launched
  • ensured that brave://local-state lists "promo_code": "RED194"

• Brave-Browser.pkg

  • ensured that promoCode wasn't created under ~/Library/Application\ Support/BraveSoftware/Brave-Browser/
  • ensured that brave://local-state lists "promo_code": "BRV001"