Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macOS Mojave hardening requirement #372

Closed
tresf opened this Issue Oct 21, 2018 · 8 comments

Comments

Projects
None yet
2 participants
@tresf
Copy link
Contributor

commented Oct 21, 2018

Apple is warning developers that a new "notarization" is required for apps distributed outside the App Store.

More info available here:
https://stackoverflow.com/questions/52911791/

How does a Java project comply?

@tresf tresf added this to the 2.0.9 milestone Oct 21, 2018

@tresf

This comment has been minimized.

Copy link
Contributor Author

commented Oct 21, 2018

Some good conversations around this topic...

https://twitter.com/rosyna/status/1004418504408252416 [mirror (PDF)]
https://forum.xojo.com/49408-10-14-hardened-runtime-and-app-notarization/0 [mirror (PDF))]

Unfortunately none of them seem to address how this applies to non-compiled projects, so I submitted it for notarization blindly:

Template

xcrun altool --eval-app --primary-bundle-id <bundle id> -u <iTunes Connect Account> -f <file path>

Actual Command

xcrun altool --eval-app --primary-bundle-id io.qz.qz-tray -u <developer-id>@qz.io -f out/dist/qz-tray-2.x.x.pkg

After a few minutes, it returns:

RequestUUID = a1b2c3d4e5-a1b2-a1b2-a1b2-a1b2c3d4e5f6

Which then can be monitored remotely using:

xcrun altool --eval-info a1b2c3d4e5-a1b2-a1b2-a1b2-a1b2c3d4e5f6 -u <developer-id>@qz.io

Which returns Status Message: Package Invalid (not very helpful) HOWEVER there's a URL with a JSON formatted detailed message when CLI is invoked....

LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/...

Browsing to this shows some useful information!

Click for JSON response
{
  "logFormatVersion": 1,
  "jobId": "a1b2c3d4e5-a1b2-a1b2-a1b2-a1b2c3d4e5f6",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "qz-tray-2.0.7.pkg",
  "uploadDate": "2018-10-21T14:09:30Z",
  "sha256": "0664bc19a004f40cdb2cf414a4eaad0cdfb7111b9691dde16a6ecc9ea6046e1a",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/libs/mac_os_x/libjSSC-2.8_ppc.jnilib",
      "message": "Unable to notarize qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/libs/mac_os_x/libjSSC-2.8_ppc.jnilib",
      "docUrl": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/libs/mac_os_x/libjSSC-2.8_ppc64.jnilib",
      "message": "Unable to notarize qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/libs/mac_os_x/libjSSC-2.8_ppc64.jnilib",
      "docUrl": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/org/usb4java/osx-x86/libusb4java.dylib",
      "message": "The binary is not signed.",
      "docUrl": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/org/usb4java/osx-x86_64/libusb4java.dylib",
      "message": "The binary is not signed.",
      "docUrl": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/libs/mac_os_x/libjSSC-2.8_x86_64.jnilib",
      "message": "The binary is not signed.",
      "docUrl": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/libs/mac_os_x/libjSSC-2.8_x86.jnilib",
      "message": "The binary is not signed.",
      "docUrl": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/darwin/libhidapi.dylib",
      "message": "The binary is not signed.",
      "docUrl": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/com/sun/jna/darwin/libjnidispatch.jnilib",
      "message": "The binary is not signed.",
      "docUrl": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "qz-tray-2.0.7.pkg/Payload/Payload/qz-tray.jar/com/sun/jna/darwin/libjnidispatch.jnilib",
      "message": "The binary is not signed.",
      "docUrl": null
    }
  ]
}

Next steps...

Shim a sign step into the build process for the following and then resubmit for notarization.

libs/mac_os_x/libjSSC-2.8_ppc.jnilib
libs/mac_os_x/libjSSC-2.8_ppc64.jnilib
org/usb4java/osx-x86/libusb4java.dylib
org/usb4java/osx-x86_64/libusb4java.dylib
libs/mac_os_x/libjSSC-2.8_x86_64.jnilib
libs/mac_os_x/libjSSC-2.8_x86.jnilib
darwin/libhidapi.dylib
com/sun/jna/darwin/libjnidispatch.jnilib
@tresf

This comment has been minimized.

Copy link
Contributor Author

commented Oct 21, 2018

@bberenz any idea how we'd be able to shim a signing step against the above binaries into the ant build process? I assume it would be somewhere around here: https://github.com/qzind/tray/blob/2.0/build.xml#L28 in the build chain. I can handle the signing code, I'm just not sure how to gain access to these libraries after compilation and before packaging (e.g. extract and loop over *.dylib|*.jnilib).

We still code-sign qz-tray.jar so it must occur prior to that step. This is apple-only (currently) so I'm ok if we need to issue a shell command to do this, but ANT is preferred for obvious reasons.

@tresf

This comment has been minimized.

Copy link
Contributor Author

commented Oct 26, 2018

@bberenz some proof of concept code... I'll need help expanding this to all .jnilib and .dylib files found inside the above locations. Note, our current certificate isn't marked for code signing, so I had to obtain one from Apple using our Developer account in order for this to work. This new code-signing cert must be placed in the code repo as part of the (eventual) PR.

ant target:

<target name="repackage" depends="init">
    <!-- FIXME we already import apple signing lower  -->
    <property file="ant/apple/apple.properties"/>

    <!-- find the jssc jar -->
    <path id="find.jar">
        <fileset dir="${lib.dir}/communication/">
            <include name="jssc*.jar"/>
        </fileset>
    </path>

    <property name="jssc.path" value="${toString:find.jar}" />

    <unzip src="${jssc.path}" dest="${out.dir}/jssc-signed" />

    <path id="find.lib">
        <fileset dir="${out.dir}/jssc-signed">
            <include name="**/libjSSC-*x86_64.jnilib"/>
        </fileset>
    </path>

    <echo message="Signing ${toString:find.lib} using ${apple.packager.signid}"/>

    <exec executable="codesign" failonerror="true">
        <arg value="-s"/>
        <arg value="${apple.packager.signid}"/>
        <arg value="-v"/>
        <arg value="${toString:find.lib}"/>
    </exec>
    <zip destfile="${jssc.path}-signed.zip" basedir="${out.dir}/jssc-signed" excludes="dont*.*" />
</target>

ant output:

repackage:
    [unzip] Expanding: /Users/owner/tray/lib/communication/jssc-2.8.0.jar into /Users/owner/tray/out/jssc-signed
     [echo] Signing /Users/owner/tray/out/jssc-signed/libs/mac_os_x/libjSSC-2.8_x86_64.jnilib using P5DMU6659X
     [exec] /Users/owner/tray/out/jssc-signed/libs/mac_os_x/libjSSC-2.8_x86_64.jnilib: signed Mach-O thin (x86_64) [libjSSC-2.8_x86_64]
      [zip] Building zip: /Users/owner/tray/lib/communication/jssc-2.8.0.jar-signed.zip
@bberenz

This comment has been minimized.

Copy link
Member

commented Nov 22, 2018

Some potential code under the new signing branch at bdfca60
Probably not the prettiest code since we can't iterate over files with ant, but this avoids having to script the process.
The only line I am not sure about working right is build.xml#L409, the man page for codesign says it accepts multiple paths, but provides no example of how, so ant's format may be incorrect. This is currently only a problem for one of the jars which contains multiple .jnilib files in it (jssc).

@tresf

This comment has been minimized.

Copy link
Contributor Author

commented Nov 23, 2018

I am not sure about working right is build.xml#L409, the man page for codesign says it accepts multiple paths, but provides no example of how

Space delimited appears to be the accepted technique but I still don't think it's legal. When exec runs it passes each parameter in as a single string, so you need some way to dynamically <arg value="..."/> based on the number of files. Ant might have some type of support for this. The ant mailing list seems to suggest it does.

Probably not the prettiest code since we can't iterate over files with ant, but this avoids having to script the process.

Yeah, iteration is a huge gap with this build system it appears. For now I've committed some platform-dependent working xarg code by invoking bash -c in da0da72 directly and assumes files are always colon-delimited. This makes it even uglier, but has the benefit of calling codesign once per file, which might be a bit easier to troubleshoot if a problem occurs. @bberenz I'll defer to you whether or not I can make use of multiple arguments.

I think all that's left is to bundle these dependencies back into the jar, right? Then I can submit for notarization.

Here's the (working) output:

presign-libs:
    [unzip] Expanding: tray/lib/communication/jna-4.2.2.jar into tray/out/jar-signing
     [echo] Signing tray/lib/communication/jna-4.2.2.jar using P5DMU6659X
     [exec] tray/out/jar-signing/com/sun/jna/darwin/libjnidispatch.jnilib: signed Mach-O universal (i386 x86_64) [libjnidispatch]
      [zip] Building zip: tray/out/jar-presign/lib/communication/jna-4.2.2.jar
   [delete] Deleting directory tray/out/jar-signing
@bberenz

This comment has been minimized.

Copy link
Member

commented Nov 24, 2018

Bundling build order should be working right under 3e62f0c

@tresf

This comment has been minimized.

Copy link
Contributor Author

commented Nov 27, 2018

Apple's still rejecting the installer due to the presence of two PPC libs. I've written the logic to remove them via f61e3a6 but two outstanding issues remain...

  • HTTPS doesn't work for me with this latest commit. There are some other anomalies that occur, but this is the most notable. HTTPS fixed via 1e4be13.
  • Travis is broken because we're attempting to codesign on machines without signing support.
@tresf

This comment has been minimized.

Copy link
Contributor Author

commented Nov 28, 2018

Fixed the HTTPS issue and submitted the app for notarization.

Apple has successfully notarized the app. Just need to fix Travis and the signing branch is good to merge.

Click for JSON response
{
  "logFormatVersion": 1,
  "jobId": "84431e32-6fad-4fcd-a8e5-55ccec9ab9de",
  "status": "Accepted",
  "statusSummary": "Ready for distribution",
  "statusCode": 0,
  "archiveFilename": "qz-tray-2.0.8.pkg",
  "uploadDate": "2018-11-28T06:42:26Z",
  "sha256": "01a7dcf0c214a5b80f5dbb6a6618ad45287e2350bda661b90e46893aae162738",
  "ticketContents": [
    {
      "path": "qz-tray-2.0.8.pkg",
      "digestAlgorithm": "SHA-1",
      "cdhash": "8de7b70028ec5df517a3cb4ef0515843da2c387c"
    },
    {
      "path": "qz-tray-2.0.8.pkg\/Payload\/Payload\/qz-tray.jar\/org\/usb4java\/osx-x86\/libusb4java.dylib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "2104ddec39ad23991cfb1e77d3de1e6b17c6bf61",
      "arch": "i386"
    },
    {
      "path": "qz-tray-2.0.8.pkg\/Payload\/Payload\/qz-tray.jar\/org\/usb4java\/osx-x86_64\/libusb4java.dylib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "63a13e22a0873f622a443cd73464510a2cb7f73f",
      "arch": "x86_64"
    },
    {
      "path": "qz-tray-2.0.8.pkg\/Payload\/Payload\/qz-tray.jar\/libs\/mac_os_x\/libjSSC-2.8_x86_64.jnilib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "84d4e70a199f2f8ee7bb4114404cf6e5cd965242",
      "arch": "x86_64"
    },
    {
      "path": "qz-tray-2.0.8.pkg\/Payload\/Payload\/qz-tray.jar\/libs\/mac_os_x\/libjSSC-2.8_x86.jnilib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "8017ef7bcbcee46e62abcd6561dd9371fe356ff5",
      "arch": "i386"
    },
    {
      "path": "qz-tray-2.0.8.pkg\/Payload\/Payload\/qz-tray.jar\/darwin\/libhidapi.dylib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "b2cf33136050d4b30e99373e37afa6503d87d4b9",
      "arch": "x86_64"
    },
    {
      "path": "qz-tray-2.0.8.pkg\/Payload\/Payload\/qz-tray.jar\/com\/sun\/jna\/darwin\/libjnidispatch.jnilib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "61d6a15eba0f927b8d6582908fbc4e8bb2cf53e9",
      "arch": "i386"
    },
    {
      "path": "qz-tray-2.0.8.pkg\/Payload\/Payload\/qz-tray.jar\/com\/sun\/jna\/darwin\/libjnidispatch.jnilib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "c18ad75e6394b9c47361ab785772bd772bc2e2c9",
      "arch": "x86_64"
    }
  ],
  "issues": null
}

@tresf tresf closed this in #388 Nov 29, 2018

@tresf tresf referenced this issue Feb 2, 2019

Merged

Initial JDK11 support #407

8 of 8 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.