Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Codesign fixes and notarization support #307

Merged
merged 2 commits into from
Mar 14, 2023
Merged

Codesign fixes and notarization support #307

merged 2 commits into from
Mar 14, 2023

Conversation

maths22
Copy link
Contributor

@maths22 maths22 commented Mar 14, 2023

Fixes both having no entitlements file and signing the wrong path
in codesign.

Add support for notarization.

Also rework codesigning to follow the same pattern as jpackage,
which matches the official guidelines of only explicitly signing
executable code (dylibs and executables), properly wrapping the jdk
in a macOS bundle, and only attaching entitlements/hardened runtime
to executables. This combination of changes ensures that signing
works even without preserving filesystem extended attributes, as
tends to happen when zipping application bundles, because Mach-O
files have signatures embedded in the file contents whereas all
other file types have their signatures stored in FS extended
attributes. (Non-code files do get signed, but only through the
manifest on the bundle itself so the file doesn't need
modification.)

This has been tested on a clean macOS 13.2.1 VM that has gatekeeper
using its default settings. The VM was disconnected from the
internet after downloading to validate the notarization and
stapling. The user is prompted to confirm opening an application
that came from the internet, as one is with any properly signed
and notarized application that was downloaded from the internet.

fixes #306
fixes #286

@maths22
macOS codesign fixes
26a930e 
Fixes both having no entitlements file and signing the wrong path in `codesign`

fixes fvarrui#306
@maths22
Support notarizing macOS applications
5832c79 
Also rework codesigning to follow the same pattern as jpackage,
which matches the official guidelines of only explicitly signing
executable code (dylibs and executables), properly wrapping the jdk
in a macOS bundle, and only attaching entitlements/hardened runtime
to executables. This combination of changes ensures that signing
works even without preserving filesystem extended attributes, as
tends to happen when zipping application bundles, because Mach-O
files have signatures embedded in the file contents whereas all
other file types have their signatures stored in FS extended
attributes. (Non-code files do get signed, but only through the
manifest on the bundle itself so the file doesn't need
modification.)

This has been tested on a clean macOS 13.2.1 VM that has gatekeeper
using its default settings. The VM was disconnected from the
internet after downloading to validate the notarization and
stapling. The user is prompted to confirm opening an application
that came from the internet, as one is with any properly signed
and notarized application that was downloaded from the internet.

fixes fvarrui#286
@fvarrui fvarrui changed the base branch from devel to pr-307 March 14, 2023 12:20
@fvarrui fvarrui merged commit f904878 into fvarrui:pr-307 Mar 14, 2023
@fvarrui
Copy link
Owner

fvarrui commented Mar 14, 2023

Hi @maths22!
Great work, thanks!!
I've just merged into pr-307 branch. I'm not able to test it ... please, feedbak!!!

@treimers
Copy link
Contributor

Dear guys,
I would like to test the fix, but I am unable to find branch pr-307.
What must I do in order to checkout this branch?
Thanks in advance
Thorsten

@fvarrui
Copy link
Owner

fvarrui commented Apr 12, 2023

Hi @treimers!!!
Branch pr-307 was probably merged into devel.
Nice to talk with you again 😃

@treimers
Copy link
Contributor

Hi @fvarrui,
quick response, thanks 😃
Yes, nice to get in touch again!
I shall try devel and come back to you.

@treimers
Copy link
Contributor

treimers commented Apr 12, 2023
edited
Loading

Ok, it helped with our problem under Mac OS Catalina with error:

/Applications/datasqill.app/Contents/PlugIns/jre/Contents/Home/bin/../lib/libjli.dylib: code signature in (/Applications/datasqill.app/Contents/PlugIns/jre/Contents/Home/bin/../lib/libjli.dylib) not valid for use in process using Library Validation: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)

Thank you very much guys!

I am getting several error message during build

[WARNING]     Entitlements file not specified. Using defaults!
[INFO]     Executing command: /bin/sh -c cd '/Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/.' && 'codesign' -f -o runtime --entitlements /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/assets/entitlements.plist --timestamp -s - /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jarsigner
[ERROR]     /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jarsigner: replacing existing signature
[INFO]     Executing command: /bin/sh -c cd '/Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/.' && 'codesign' -f -o runtime --entitlements /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/assets/entitlements.plist --timestamp -s - /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jaotc
[ERROR]     /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jaotc: replacing existing signature
[INFO]     Executing command: /bin/sh -c cd '/Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/.' && 'codesign' -f -o runtime --entitlements /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/assets/entitlements.plist --timestamp -s - /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jfr
[ERROR]     /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/jfr: replacing existing signature
[INFO]     Executing command: /bin/sh -c cd '/Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/.' && 'codesign' -f -o runtime --entitlements /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/assets/entitlements.plist --timestamp -s - /Users/treimers/Documents/datasqill/git/datasqill/exasol-ml/datasqill-gui/target/deploy/osx/datasqill/datasqill.app/Contents/PlugIns/jre.jre/Contents/Home/bin/rmid
...

Maybe ERROR in the output means that the message is written to "stderr"? Do you get these messages also?

But good news are that it is working finally. Thanks!

@maths22
Copy link
Contributor Author

maths22 commented Apr 12, 2023

Best I can tell, codesign always logs those "errors" that aren't really errors, so you should be good to ignore that.

@treimers
Copy link
Contributor

treimers commented Apr 12, 2023
edited
Loading

Ah ok, thanks.

I did understand now that [ERROR] is the log level. So these warnings are written with level "error".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maths22 @fvarrui @treimers