Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/link: keep MacOS binaries compatible with Apple Notary #31918

Open
networkimprov opened this issue May 8, 2019 · 7 comments

Comments

Projects
None yet
6 participants
@networkimprov
Copy link

commented May 8, 2019

Review this before each release, as the required SDK value will eventually change.

The minimum SDK is given by a pair of constant expressions, last seen at:
https://github.com/golang/go/tree/master/src/cmd/link/internal/ld/macho.go#L418

// The version must be at least 10.9; see golang.org/issues/30488.
ml := newMachoLoad(ctxt.Arch, LC_VERSION_MIN_MACOSX, 2)
ml.data[0] = 10<<16 | 9<<8 | 0<<0 // OS X version 10.9.0
ml.data[1] = 10<<16 | 9<<8 | 0<<0 // SDK 10.9.0

See also https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues

Originally raised in #30488

@networkimprov

This comment has been minimized.

Copy link
Author

commented May 8, 2019

Milestone should be 1.14 (unless there is a milestone for "every release").
Tag should be NeedsFix, or none.

I opened this at request of @ianlancetaylor.

@macetw

This comment has been minimized.

Copy link

commented May 8, 2019

My team used this basic fix, to change the constants as cited, with a binary that was later submitted to Apple Notary and it worked with flying colors. The Certification is officially stapled to our application. I believe this should satisfy the "NeedsInvestigation" portion of this issue.

@dmitshur dmitshur modified the milestones: Go1.13, Go1.14 May 8, 2019

@randall77

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

So what's the specific action item we should do for each release? Check that "See also" page and make sure it still says "10.9"?

@macetw

This comment has been minimized.

Copy link

commented May 9, 2019

@randall77 are you asking me? Do you mean what action should you take to ensure binaries can be Notary-certified?
Well, the best practice would be to embed a binary into a .pkg file in some way, run the .pkg file through the notary-cerification process, and ensure that it passes. That would be 100%. I'm not sure whether that's realistic, because I don't know the steps to begin that relationship to submit anything to apple. My experience was relying on members of my team in another office who set up the relationship.
I wonder about the same kind of test that checks whether "codesign" works on Go binaries. codesign is a prerequisite of getting approval for notary. It requires a certificate, and I also don't know how an open source project would acquire such a certificate.

@randall77

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

I'm asking anyone who might know.

Actually getting something notarized would certainly be a good test. That seems hard though. You need to sign a binary, have a valid Apple developer ID, etc.

I'm wondering about the simpler problem of this issue - how will we know when Apple changes the minimum version from 10.9 to something larger? Is there a canonical reference we can check?

@macetw

This comment has been minimized.

Copy link

commented May 9, 2019

According to my associate, enrollment in the Apple developer program costs $100. It seems to include both a login to notarize and a codesign certificate.
https://developer.apple.com/programs/enroll/

@pieterclaerhout

This comment has been minimized.

Copy link

commented May 13, 2019

You need to be enrolled as an Apple Developer to be able to notarize your app. Additionally, there is quite a bit of setup needed to get notarization up and running.

The notarization process is also rather tricky as it's an async thing. You need to submit your app after building to the notarization service. You then need to poll for the status to see if it gets notarized or not (which takes anywhere from seconds to several minutes). If the notarization fails, you need to parse the output, download a log, parse that again to figure out what is wrong.

My guess is that checking if the required SDK version is 10.9 should be what needs to be checked.

I'm not sure if this minimum requirement is going to change anytime soon though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.