Firestore fails to find certificates on macOS

[wilhuff]

Pod installing Firestore ends up crashing with this message:

2019-03-21 10:06:37.143496-0700 macOS_example[39141:28967486] *** Assertion failure in std::string firebase::firestore::remote::LoadGrpcRootCertificate()(), /Users/mcg/src/firebase/ios-sdk/Firestore/core/src/firebase/firestore/remote/grpc_root_certificate_finder_apple.mm:80
2019-03-21 10:06:37.148545-0700 macOS_example[39141:28967486] [General] An uncaught exception was raised
2019-03-21 10:06:37.148562-0700 macOS_example[39141:28967486] [General] FIRESTORE INTERNAL ASSERTION FAILED: Could not load root certificates from the bundle. SSL cannot work. (expected path)
2019-03-21 10:06:37.148636-0700 macOS_example[39141:28967486] [General] (
	0   CoreFoundation                      0x00007fff4c9f8ded __exceptionPreprocess + 256
	1   libobjc.A.dylib                     0x00007fff78ac4720 objc_exception_throw + 48
	2   CoreFoundation                      0x00007fff4ca13a4a +[NSException raise:format:arguments:] + 98
	3   Foundation                          0x00007fff4ee06eed -[NSAssertionHandler handleFailureInFunction:file:lineNumber:description:] + 166
	4   macOS_example                       0x0000000100268675 _ZN8firebase9firestore4util8internal4FailEPKcS4_iRKNSt3__112basic_stringIcNS5_11char_traitsIcEENS5_9allocatorIcEEEE + 533
	5   macOS_example                       0x0000000100268d32 _ZN8firebase9firestore4util8internal4FailEPKcS4_iRKNSt3__112basic_stringIcNS5_11char_traitsIcEENS5_9allocatorIcEEEES4_ + 1538
	6   macOS_example                       0x000000010024d6d6 _ZN8firebase9firestore6remote23LoadGrpcRootCertificateEv + 118
	7   macOS_example                       0x000000010023f320 _ZNK8firebase9firestore6remote14GrpcConnection13CreateChannelEv + 96
	8   macOS_example                       0x000000010023ee3b _ZN8firebase9firestore6remote14GrpcConnection16EnsureActiveStubEv + 267
	9   macOS_example                       0x0000000100241a95 _ZN8firebase9firestore6remote14GrpcConnection12CreateStreamEN4absl11string_viewERKNS0_4auth5TokenEPNS1_18GrpcStreamObserverE + 85
	10  macOS_example                       0x0000000100341a25 _ZN8firebase9firestore6remote11WriteStream16CreateGrpcStreamEPNS1_14GrpcConnectionERKNS0_4auth5TokenE + 101
	11  macOS_example                       0x000000010030ab9f _ZN8firebase9firestore6remote6Stream26ResumeStartWithCredentialsERKNS0_4util8StatusOrINS0_4auth5TokenEEE + 351
	12  macOS_example                       0x000000010030f49e _ZZZN8firebase9firestore6remote6Stream18RequestCredentialsEvENK3$_0clERKNS0_4util8StatusOrINS0_4auth5TokenEEEENKUlvE_clEv + 142
	13  macOS_example                       0x000000010030f3fd _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRZZN8firebase9firestore6remote6Stream18RequestCredentialsEvENK3$_0clERKNS4_4util8StatusOrINS4_4auth5TokenEEEEUlvE_EEEvDpOT_ + 45
	14  macOS_example                       0x000000010030f0c9 _ZNSt3__110__function6__funcIZZN8firebase9firestore6remote6Stream18RequestCredentialsEvENK3$_0clERKNS3_4util8StatusOrINS3_4auth5TokenEEEEUlvE_NS_9allocatorISE_EEFvvEEclEv + 41
	15  macOS_example                       0x0000000100129606 _ZNKSt3__18functionIFvvEEclEv + 102
	16  macOS_example                       0x00000001000585ee _ZN8firebase9firestore4util10AsyncQueue15ExecuteBlockingERKNSt3__18functionIFvvEEE + 478
	17  macOS_example                       0x000000010005b177 _ZZN8firebase9firestore4util10AsyncQueue4WrapERKNSt3__18functionIFvvEEEENK3$_0clEv + 39
	18  macOS_example                       0x000000010005b13d _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRZN8firebase9firestore4util10AsyncQueue4WrapERKNS_8functionIFvvEEEE3$_0EEEvDpOT_ + 45
	19  macOS_example                       0x000000010005aef9 _ZNSt3__110__function6__funcIZN8firebase9firestore4util10AsyncQueue4WrapERKNS_8functionIFvvEEEE3$_0NS_9allocatorISB_EES7_EclEv + 41
	20  macOS_example                       0x0000000100129606 _ZNKSt3__18functionIFvvEEclEv + 102
	21  macOS_example                       0x000000010009b941 _ZZN8firebase9firestore4util8internal13DispatchAsyncEPU28objcproto17OS_dispatch_queue8NSObjectONSt3__18functionIFvvEEEENK3$_0clEPv + 33
	22  macOS_example                       0x000000010009b918 _ZZN8firebase9firestore4util8internal13DispatchAsyncEPU28objcproto17OS_dispatch_queue8NSObjectONSt3__18functionIFvvEEEEN3$_08__invokeEPv + 24
	23  libdispatch.dylib                   0x000000010160c7c3 _dispatch_client_callout + 8
	24  libdispatch.dylib                   0x00000001016149c7 _dispatch_lane_serial_drain + 789
	25  libdispatch.dylib                   0x000000010161587e _dispatch_lane_invoke + 446
	26  libdispatch.dylib                   0x0000000101620f44 _dispatch_workloop_worker_thread + 691
	27  libsystem_pthread.dylib             0x0000000101687047 _pthread_wqthread + 409
	28  libsystem_pthread.dylib             0x0000000101686e41 start_wqthread + 13

#2241 added code that should have addressed this but it's not working in a clean install.

[jhoughjr]

acknowledged.
Anything else you need me to try?
I've verified the bundle it is looking for is indeed where it is looking according to finder.

Early yesterday I would get dialogs about using the keychain with a guidlike thing.firebase etc.
I no longer see that. When i looked in the keychain to possibly remove that entry for a fresh start, i could not find it. I don't know if it is related to the issue.
(in the webview version i had tried to use session auth persistence, it never semed to work though but I thought maybe that had corrupted something, as the dialog came up before I authed)

[wilhuff]

I've managed to reproduce the issue locally, so for the moment I don't need anything else from you.

I can see that the bundle is present as well. However, we're not finding it with the code we have. Under the debugger in grpc_root_certificate_finder.mm, I see:

(lldb) po [bundle pathForResource:@"roots" ofType:@"pem"]
 nil
(lldb) po [bundle pathForResource:@"gRPCCertificates.bundle/roots" ofType:@"pem"]
 nil
(lldb) po [bundle pathForResource:@"gRPCCertificates.bundle/Contents/Resources/roots" ofType:@"pem"]
/.../Library/Developer/Xcode/DerivedData/Firestore-csljdukzqbozahdjizcvrfiufrkb/Build/Products/Debug/macOS_example.app/Contents/Frameworks/grpcpp.framework/Resources/gRPCCertificates.bundle/Contents/Resources/roots.pem

We shouldn't have to reach into the bundle like that though, so I'm investigating.

[jhoughjr]

Much obliged. Let me know if you need any testing from me, or if you can think of a fix i can shoehorn in. (I'm 3 days late on deliverables and low on coffee!)

[jhoughjr]

Just a thought, could it have to do with cocoapods and how it links dependencies?
I'll also add I'm on mohave. Maybe apple derprecated something on you.

[wilhuff]

No the issue is that the code is implicitly making assumptions about bundle structure that hold true on iOS but don't on macOS.

You should be able to work around this for the moment by placing a copy of the roots.pem file that you'll find inside gRPCCertificates.bundle and adding it as a resource directly to your application. I'm cooking up a fix.

[jhoughjr]

Great minds think alike. I was just coming here to say I had it worked around by doing just that after seeing @"roots.pem" in the array of bundles. I moved the pem out of the bundle to the root of my proj, added it to the target and added it to copy bundle resources.
I smell some unit tests brewing! I can only imagine Obj-C++ unit testing...
Thanks again for helping debug this.
If y'all do tests I'd wrap this scenario tight as we have learned something new about the code that wasn't documented (the errant bundle behavior, probably by apple).
I'll go back to that SO post and advise them of this workaround.
Kudos.

[wilhuff]

The fix has been committed to master and it will go out with our next release. In the meantime you can build against Firestore from master by changing your Podfile as described in our README.

[leisurehound]

I upgraded from 5.x to 6.3.0 yesterday and ran into this problem integrating Firestore. I had deleted the previous Resources file from Xcode and then dragged in the new one from 6.3.0 download (not using cocoa pods or carthage). The app failed to build until I dragged in the PEM file and added it to the target manually. Did this regress or is this possible handled better by Cocoapods magic that I've eliminated?

[var-const]

@leisurehound the roots.pem file has to be in the resources one way or the other. When using CocoaPods, this should happen automatically during pods installation. If you are configuring the project manually, yes, you would have to add the file manually as well (e.g. see these Carthage instructions (skip to Copy Bundle Resources). So from what you're describing, it sounds like expected behavior. Happy you got your project building!

[leisurehound]

So, I had copied the Firestore/Resources/gRPCCertificates-Cpp.bundle into my project manually as instructed in the manual instructions in the Readme.md, ensuring it was in my target and copying files.:

6. If the SDK has resources, go into the Resources folders, which will be in
   the SDK folder. Drag all of those resources into the Project Navigator, just
   like the frameworks, again making sure that the target you want to add these
   resources to has a checkmark next to it, and that you've selected "Copy items
   if needed".

But I then got the error here. When I went to the gRPCCertificates-Cpp.bundle file in Finder and 'Show Package Contents,' grab the roots.pem file and drag it into the Xcode project navigator, the workaround listed here, did the project not crash on start. I don't think the extra step of the workaround documented here is the expected behavior.

[TheHmmka]

The same problem is here. I need to connect to one Firestore from several applications. I have created custom pods with Firestore framework added manually (not via dependencies) and try to connection to the database. Always get assertion error.

[mikelehen]

@TheHmmka If you download the zip from https://firebase.google.com/docs/ios/setup#frameworks, the included README has instructions for setting up Firestore manually including including the certificate bundle... The cert loading logic looks in the gRPC-C++ framework bundle, the FirebaseFirestore framework bundle, and the main bundle. The cert bundle has to be in one of those places

[TheHmmka]

@TheHmmka If you download the zip from https://firebase.google.com/docs/ios/setup#frameworks, the included README has instructions for setting up Firestore manually including including the certificate bundle... The cert loading logic looks in the gRPC-C++ framework bundle, the FirebaseFirestore framework bundle, and the main bundle. The cert bundle has to be in one of those places

Yes, but when I put frameworks to my private cocoa pod, it doesn't work out of the box. I need to put pem file to the application bundle, instead of using it from builded pod.

[paulb777]

Right, Firebase does not support dynamic linking.