macOS 10.15 Catalina - internal.so prompt at every launch #2117
Comments
|
Signing the I'm more concerned about external modules and development builds... hopefully there is a build flag we can set that allows unsigned shared libraries to be used, but it will probably take a little digging into the latest Xcode docs to verify... I'm going to be out of town for the next couple of weeks, so little to no time to investigate this (or much else) myself, but maybe in mid July, if we still don't have an answer/solution, I'll bite the bullet and see about installing Catalina myself and see what I can find. |
|
Running Catalina here, so if you need me to test releases or such, let me know :) (hopefully with a good config to test all the things! 😂 my hs config is only app launch shortcuts and window management) |
|
I think the right answer here will be to try and use the Hardened Runtime, with an exclusion for loading unsigned code, and then notarizing the app with Apple. I've started working on this, but I'm not done yet. |
|
I'm going to close this issue now, because I believe we are in pretty good shape for Catalina - we're using the Hardened Runtime with appropriate Entitlements, everything is signed, and the app is Notarized. Thanks! |
|
Is there a possible beta release users of Catalina can try to verify ahead and then have some minor checks with xcode 11 comes out of beta along with Catalina |
|
You can try building Hammerspoon yourself? |
|
But there won't be any signing on it to test the notarization if I compile it. |
|
If you have your own Developer account you could sign yourself. Otherwise, @cmsj might be able to do a beta build? |
|
I generally use a self-signed developer certificate for my interim developer builds... I think the current version of my build script can be found at https://github.com/asmagill/hammerspoon-config/blob/master/hammer-build (and you can search the closed issues here as I know a couple of others have done similar as well). There are links given in the comments of my script which tell you how to generate the self-signed certificate. I've not tried building under Catalina, or with XCode 11 yet (don't have either of the betas installed as I currently rely on a couple of other programs that are still 32bit only and I haven't reached the point where I'm ready to give them up quite yet) so I don't know if this or a similar process will still work, but if you do give it a shot, let us know how it goes! |
|
@WardsParadox try this: 🙂 |
|
Shows up signed, but no ticket stapled to make it properly notarized. Other than that, no more prompts about .so files not being signed and all internal.so show valid sigs! Seems to have resolved it :) |
|
Ugh, good point, a regular Xcode release build doesn't have the ticket stapled. I'll see what I can work up tomorrow - that stuff is all hidden away in our release script. |
|
@WardsParadox ok this one should be fully signed, entitled, and notarized :) |
|
Nice! Worked perfectly, no prompts (other than standard gatekeeper this came from the internet), no errors in log at launch from lack of signing, no notarization error prompt. Build seems ready for Catalina on my end. |
|
Thanks! |
During the first launch on macOS Catalina (10.15), all internal.so used (due to not being signed) now prompt gatekeeper.
The text was updated successfully, but these errors were encountered: