Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign Sparkle components Autoupdate and fileop to prevent Apple validation errors during notarization #7731

Closed
mbacchi opened this issue Jan 14, 2020 · 1 comment
Closed

Sign Sparkle components Autoupdate and fileop to prevent Apple validation errors during notarization #7731

mbacchi opened this issue Jan 14, 2020 · 1 comment
Labels
QA/No
Milestone
Closed / Dupe / I...

Comments

@mbacchi
Copy link
Contributor

mbacchi commented Jan 14, 2020

Apple notarization requirements were relaxed in 2019, with the scheduled date to be sometime in Jan or Feb 2020 for this to be reversed. This appears to now be back in effect, and we've gotten errors notarizing due to Sparkle components not being signed properly:

{
      "severity": "error",
      "code": null,
      "path": "BraveBrowserDev-79.1.4.59.zip/Brave Browser Dev.app/Contents/Frameworks/Brave Browser Dev Framework.framework/Versions/79.1.4.59/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "BraveBrowserDev-79.1.4.59.zip/Brave Browser Dev.app/Contents/Frameworks/Brave Browser Dev Framework.framework/Versions/79.1.4.59/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },

We need to sign these using timestamp and hardened runtime options.
mbacchi added a commit to brave/brave-core that referenced this issue Jan 14, 2020
@mbacchi
Part 1 of signing Sparkle components
6d141fd 
This doesn't work yet as we require Autoupdate and fileop to
first be signed using the equivalent of the command:

`codesign --timestamp --verbose --force --deep -o runtime --sign $ID $FILE`

Fixes: brave/brave-browser#7731
@mbacchi mbacchi added the QA/No label Jan 14, 2020
@mbacchi mbacchi mentioned this issue Jan 14, 2020
Closed
32 tasks
mbacchi added a commit to brave/brave-core that referenced this issue Jan 15, 2020
@mbacchi
Part 2 of signing Sparkle components
61b5741 
Update the Brave fork of Sparkle to use upstream release 1.22.0
which enables hardened runtime code signing.

Fixes: brave/brave-browser#7731
@mbacchi
Copy link
Contributor Author

mbacchi commented Feb 3, 2020

Dup of #6572, fixed in brave/brave-core#4456

@mbacchi mbacchi closed this as completed Feb 5, 2020
@bbondy bbondy added this to the Closed / Invalid milestone Jun 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
QA/No
Projects
None yet
Milestone
Closed / Dupe / Invalid
Development

Successfully merging a pull request may close this issue.

Part 1 of signing Sparkle components brave/brave-core
2 participants
@bbondy @mbacchi