Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] macOS notarization fails #5193

Closed
nor0x opened this issue Jan 9, 2021 · 6 comments · Fixed by #5249
Closed

[Bug] macOS notarization fails #5193

nor0x opened this issue Jan 9, 2021 · 6 comments · Fixed by #5249
Assignees
@aslushnikov

Comments

@nor0x
Copy link

nor0x commented Jan 9, 2021

MOVED FROM: microsoft/playwright-dotnet#1093

i'm using Playwright-Sharp in a macOS project which gets distributed to our customers. We use the apple notarization service to allow proper execution with gatekeeper enabled. Since i have added Playwright-Sharp to the project the notarization fails, because the added binaries are not properly signed and don't have the hardened runtime flag enabled. Here is a log of the apple notarization service:

{
  "logFormatVersion": 1,
  "jobId": "1234567890",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "MyApp.app.zip",
  "uploadDate": "2021-01-09T14:54:20Z",
  "sha256": "1234567890",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.app.zip/MyApp.app/Contents/MonoBundle/playwright-cli",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.app.zip/MyApp.app/Contents/MonoBundle/playwright-cli",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.app.zip/MyApp.app/Contents/MonoBundle/playwright-cli",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.app.zip/MyApp.app/Contents/MonoBundle/ffmpeg-mac",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.app.zip/MyApp.app/Contents/MonoBundle/ffmpeg-mac",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.app.zip/MyApp.app/Contents/MonoBundle/ffmpeg-mac",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}
@nor0x
Copy link
Author

nor0x commented Jan 11, 2021
edited

i tried to self-sign the external dependencies of my application. for ffmpeg-mac it works if i sign it manually via terminal

codesign --force --options runtime --sign "Developer ID Application: myorg" ffmpeg-mac

doing the same for playwright-cli however leads to the following error message playwright-cli: main executable failed strict validation

Apple Documentation about this issue

codesign says my main executable failed strict validation.

  • Your Mach-O executable does not conform to modern Mach-O layout rules.
  • You may be using a third party development product that hasn't been brought up to date, or post-processed your file in unsupported ways.

https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG309

EDIT:

probably related to this one:
vercel/pkg#128

@yury-s yury-s changed the title macOS notarization fails [Bug] macOS notarization fails Jan 12, 2021
@yury-s
Copy link
Member

yury-s commented Jan 12, 2021

We are changing the way cli is packaged and trying to move away from pkg, so it may help with this issue too.

@nor0x
Copy link
Author

nor0x commented Jan 12, 2021

thanks for the reply @yury-s 👍
do you have a rough estimation on a timeline?

I'm just curious because so that i could plan my resources accordingly

@kblok
Copy link
Contributor

kblok commented Jan 12, 2021

@nor0x I'm working on that on the Sharp side. We should get something by the end of this week or early next week.

@dgozman dgozman transferred this issue from microsoft/playwright-cli Jan 27, 2021
@nor0x
Copy link
Author

nor0x commented Feb 1, 2021

hey @kblok do you already have an update for the notarization issues? Do you need more info or a repro?

@kblok
Copy link
Contributor

kblok commented Feb 1, 2021

@nor0x PlaywrightSharp v0.180.0 is shipped with the new "unpacked" driver. I think you would still get an error regarding ffmpeg-mac.

aslushnikov added a commit to aslushnikov/playwright that referenced this issue Feb 2, 2021
@aslushnikov
devops: downloading ffmpeg during install step
aef2186 
This patch starts downloading FFMPEG like we download our browsers
instead of bundling it in the NPM package.

With this patch, NPM size is reduced from 8.8MB to 1.7MB.

Consequences:
- `npx playwright` is drastically faster now
- playwright driver for language bindings is way smaller
- projects that bundle Playwright can pass Apple Notorization

Fixes microsoft#5193
aslushnikov added a commit to aslushnikov/playwright that referenced this issue Feb 2, 2021
@aslushnikov
devops: downloading ffmpeg during install step
a9cb5cf 
This patch starts downloading FFMPEG like we download our browsers
instead of bundling it in the NPM package.

With this patch, NPM size is reduced from 8.8MB to 1.7MB.

Consequences:
- `npx playwright` is drastically faster now
- playwright driver for language bindings is way smaller
- projects that bundle Playwright can pass Apple Notorization

Fixes microsoft#5193
@aslushnikov aslushnikov mentioned this issue Feb 2, 2021
Merged
aslushnikov added a commit to aslushnikov/playwright that referenced this issue Feb 3, 2021
@aslushnikov
devops: downloading ffmpeg during install step
be7f2ef 
This patch starts downloading FFMPEG like we download our browsers
instead of bundling it in the NPM package.

With this patch, NPM size is reduced from 8.8MB to 1.7MB.

Consequences:
- `npx playwright` is drastically faster now
- playwright driver for language bindings is way smaller
- projects that bundle Playwright can pass Apple Notorization

Fixes microsoft#5193
aslushnikov added a commit that referenced this issue Feb 3, 2021
@aslushnikov
devops: downloading ffmpeg during install step (#5249)
cb1b642 
This patch starts downloading FFMPEG like we download our browsers
instead of bundling it in the NPM package.

With this patch, NPM size is reduced from 8.8MB to 1.7MB.

Consequences:
- `npx playwright` is drastically faster now
- playwright driver for language bindings is way smaller
- projects that bundle Playwright can pass Apple Notorization

Fixes #5193
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aslushnikov aslushnikov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: download ffmpeg during install step aslushnikov/playwright
5 participants
@aslushnikov @kblok @nor0x @yury-s @dgozman