-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
codesign MacOS binaries #1
Comments
After a bit of research and experimentation, it looks like Gatekeeper will only check for code signatures for files/apps that have the References:
Will keep this issue open as code signing would still be a good idea eventually, but it doesn't need to block the initial release. |
When distributed as a conda package, orca didn't get blocked by Gatekeeper in order to run, but it did get blocked when attempting to bind to a local port. See plotly/orca#269. Kaleido won't run into this issue because it doesn't use ports for communication. |
1) Chromium has runtime checks that intentionally crash chromium in fear of security vulnerabilities. 2) Chromium does not remove old and degrading APIs from their documentation, they do not work. 3) Chromium will flesh out API structures and header files and half-implement the concept, that is: Stuff they are not using is buggy, it is NOT enough for it to be part of the spec. 4) Using DevTools Protocol from w/in Chromium uses their SimpleDevToolsProtocolClient class, which is _not_ complete. 5) Because there is no message broker between the Host and Client, SimpleDevToolsProtocolClient sends json instructions as arguments directly to the host consumer- the browser or the tab. 6) Because of above checks in #1, calls to class methods must often originate from the exact same thread that the class was instantiated on, or there will be a mandatory fatal crash. 7) SimpleDevToolsProtocol client does not handle this. 8) And in general, generating and using tabs with SimpleDevToolsProtocol.CreateSession will cause crashes due to checks due to the above when any command is sent. 9) Chromium's own workarounds include using APIs that we're just not supposed to use.
We should work out how to digitally sign the MacOS kaleido binary so that it doesn't get blocked by the default settings of Gatekeeper.
Looks like we could do this from the command using the
codesign
command after the build has been completed: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.htmlThe text was updated successfully, but these errors were encountered: