[CLOSED] [brackets-shell] Bast MAC V2 signing needs to be moved from OS X 10.9.3 to OS X 10.9.5

[core-ai-bot]

Issue by nethip
Wednesday Jan 07, 2015 at 12:30 GMT
Originally opened as adobe/brackets#10326

---

Bast MAC V2 signing needs to be moved from OS X 10.9.3 to OS X 10.9.5. Here are the reasons why we should be moving signing to 10.9.5

• In terms of application structure OSX10.9.5 enforces more stringent controls , Apple recommended a particular application structure since the inception of Mac V2 signing however the Gatekeeper (which verifies app signature on launch) on OSX10.9.3 was not checking it in a very stringent manner. What this means is that if a user complies partially with the Apple recommended application structure,OSX10.9.3 does not complain at signing or launch time but OSX10.9.5 does.
• We want to safeguard our users from running into a situation where a file signed on OSX10.9.3 does not launch on OSX10.9.5.
• Additionally OSX10.9.5 is immune to “shellshock” vulnerability.

This must be done ASAP.

[core-ai-bot]

Comment by ingorichter
Thursday Jan 08, 2015 at 00:53 GMT

---

What does this mean? Do we have to update OSX on webauthoringbuild?

[core-ai-bot]

Comment by peterflynn
Thursday Jan 08, 2015 at 01:09 GMT

---

Afaik this work is already done -- see #8838 and https://trello.com/c/gNZWYFoR/462-update-to-mac-v2-code-signing. @nethip is there any more work you're aware of here?

[core-ai-bot]

Comment by nethip
Thursday Jan 08, 2015 at 10:00 GMT

---

The BAST team has reached to us saying Brackets Helper.app is not complying with V2 signing. They are suggesting some structural changes, inside the app. I am currently looking at it.

@ingorichter I think we should upgrade our build machines to 10.9.5. We are talking to the RE to see what this actually means.

[core-ai-bot]

Comment by nethip
Thursday Jan 08, 2015 at 10:46 GMT

---

@peterflynn@ingorichter Here is the full picture that I got from the RE.

The BAST signing servers are going to be upgraded from 10.9.3 to 10.9.5 and while testing, the BAST team has found that "Brackets Helper.app" is not complying with the V2 signing requirement, when signed used 10.9.5. As I mentioned above, some structural changes, inside Brackets Helper.app were suggested. I will see what changes need to be done.

@ingorichter Actually there is not need to update our build machine to 10.9.5, The new MAC build system that we are going to procure comes with 10.9.5. So we are going to be on 10.9.5 once the new systems are setup and fully functional.

[core-ai-bot]

Comment by ingorichter
Thursday Jan 08, 2015 at 21:13 GMT

---

Do we really need to update the build machine? Signing happens on different machines anyway. I just saw that we are still on 10.8.5 for webauthoringbuild. We should be able to update to 10.9.5, but we should plan for some time testing the new OS version and the tools that will be updated with this OS update.
What are the proposed changes to make the helper app comply to V2 signing? I thought we've made all the required changes to Brackets and all part that will be signed, when the code signing requirements changed last year.

[core-ai-bot]

Comment by nethip
Friday Jan 09, 2015 at 12:29 GMT

---

@ingoritcher Sure we should test existing tools on the new build System. But I think it would be good if we can retain the same versions of tools (like XCode, Java e.t.c. ) on the new 10.9.5. system. Or should we upgrade these as well?

And about V2 signing complying, I don't know why Brackets Helper.app is listed as one of the applications that is not complying with V2 signing on MAC. I just tried all the steps they had mentioned in their wiki about signing Brackets Helper.app, and all tests looks fine( signed with codesign and checked it with spctl). Another recommendation they had was to change the application structure. But if we look at the contents Brackets Helper.app, it is bare minimal. It has just the MacOS folder, where the binary exists.

[core-ai-bot]

Comment by ingorichter
Friday Jan 09, 2015 at 21:03 GMT

---

I agree. If there is no need to update the remaining tools, than we should stick with them for a while. I'm always eager to go with the latest version of everything to avoid security issue and take advantage of improvements. This sometimes comes at a cost which is not easily to determine upfront.
I remember that we had a complaint about how CEF was structured and that we had to add a plist for it. Nobody ever mentioned that the Helper app has any issues. Every time we did the signature check for a release, spctl was always fine with the app.

[core-ai-bot]

Comment by nethip
Monday Jan 12, 2015 at 09:26 GMT

---

@ingorichter Thanks for letting me know about the plist addition to CEF. This could be a possible reason. Anyways we have asked BAST team to tell us why Brackets Helper.app is listed in the list of apps not complying with V2 signing. I will give an update once I hear from them.

[core-ai-bot]

Comment by nethip
Monday Jan 12, 2015 at 10:17 GMT

---

We just heard from BAST team. Everything looks fine.

[core-ai-bot]

Comment by nethip
Monday Jan 12, 2015 at 10:18 GMT

---

Closing.