-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign GrandOrgue for MacOS #1835
Comments
Originally posted by @willeke1234 in #1831 (comment)
All libraries are modified. The creation and modification dates are the changed and when I verify the code signature I get:
https://github.com/GrandOrgue/grandorgue/blob/master/cmake/BuildExecutable.cmake You have to add
of course, only for apple build.
Yes, it is. This script installs the all necessary build environment, tools and libraries to your mac. If we need some additional tools for code signing, installing them should be added to build-scripts/for-osx/prepare-osx.sh.
Usually installing anything does not affect other projects. So it must not do this.
It allows GrandOrgue built on macOs 12.3 to run on 12.1. |
@oleg, @rousseldenis We don't need a signing certificate from Apple ($99/year) and I don't have one. Ad-hoc signing (free and without a certificate) will do. All it takes is running a command. |
If you are talking about an online signing, we need some way to identify us by apple. Otherwise any malware could be signed ad-hoc as well. |
Ad-hoc signing does not use an identity or signing certificate at all. GrandOrgue on Intel is currently unsigned but on ARM, macOS refuses to run unsigned apps. GrandOrgue will be signed at minimum to keep macOS happy. Or rather, I know it runs on my Mac, I'm not really sure it'll run on other Macs. Step 1: tweak the build scripts so GrandOrgue builds and runs on my Mac (I'm working on it) Let's worry about a signing certificate when we're sure we need it. |
GrandOrgue builds and runs on my Mac but…
How do I fix all this? I don't want to change things haphazardly. I get a lot of build warnings, including warnings about errors. Do you have any tips for finding the errors and warnings I have to fix? |
The discussion moved back to #1831. This issue can be closed. |
@oleg ok, I'll ask my questions where I think they belong. |
I've been digging through CPack's documentation and source code. I think the CPack DragNDrop Generator builds the app but can't sign it and the CPack Bundle Generator can sign but doesn't build the app. Questions:
|
https://github.com/GrandOrgue/grandorgue/blob/master/cmake/FixupBundle.cmake
https://cmake.org/cmake/help/v3.5/command/install.html#custom-installation-logic
What two apps are you interested by? |
GrandOrgueBuild/build/osx/GrandOrgue.app Do I have to sign them separately in a build step and an install step? How do I make sure this is the last step? |
I see that building for MacOS differs significantly from building for other OSes. I thought that it should be at install step, but So I suggest you to find where FixupBundle is called and to add a step after it. |
At the end of grandorgue/src/grandorgue/CMakeLists.txt I added:
The app appears to be signed and macOS doesn't complain but when I verify the app, I get:
If I do
To sign the app on the .dmg I added in grandorgue/CMakeLists.txt after
The app is signed but some or all libs aren't signed, maybe a race condition or caching problem. In the log I get
Any idea how to fix this? |
Have you tred to use the |
from
Official documentation: Avoid deep code signing If it could be used then the problem is still the same, |
I tried the build by @MStraeten and I get Maybe it's because I already have an ad-hoc signed GrandOrgue. |
I think because ad-hoc signed applications cannot run on another computers. |
Signing the app on the .dmg now works and the GitHub build works on my Mac. It behaves like an unsigned app: And Open from the context menu: If anyone wants to try (at your own risk): |
It’s because it’s within a zip file and was downloaded from somewhere in the internet. |
As far as I know, the .dmg is not signed. The intel version works on this virtual Mac with Rosetta. |
I was able to create a universal code-signed app using my apple cert.
Join the architectures together with
Codesign recursively without
Built a dmg with create-dmg/create-dmg:
Signed it also:
Universal app runs on Intel (macOS 12.7+) and Apple Silicon (macOS 13.3+)
|
How do we proceed:
|
Also you may wish for the app to support hardening for notarization. As it is now the libraries load relative to @executable_path. |
Signing is mandatory for Apple/M1. #1831 (comment)
For signing we need
@rousseldenis Could you help us with (1.)? Which rules are there for open source projects supported by a community? Should the certificate be a personal or one issued for organisation? Anyway could you communicate with Apple and obtain a certificate suitable for GrandOrge?
@willeke1234 Because you have built GrandOrgue locally and it works, I suppose you already have a personal developer certificate from apple. I doubt you may share it for a foreign project hosted on github, but you obviosly may test the build processus locally with your certificate and participate in (2.). Do you agree?
For (3.) there is some additional information https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
A similar issue exists in Windows #836 but there is a workaround: to force OS to allow run GrandOrgue despite it is not signed.
The text was updated successfully, but these errors were encountered: