-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: codesign doesn't sign frameworks or sidecar, closes #7690 #7774
fix: codesign doesn't sign frameworks or sidecar, closes #7690 #7774
Conversation
@tr3ysmith I pushed some changes and it looks nice, but I can't get the framework signature to be approved by the Apple notarization. I'm using our updater integration test to validate it, if you want to run it too, simply configure your signing/notarization environment variables and run
{
"logFormatVersion": 1,
"jobId": "$ID",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "app-updater.zip",
"uploadDate": "2023-09-15T13:06:58.269Z",
"sha256": "...",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "app-updater.zip/app-updater.app/Contents/MacOS/app-updater",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
}
]
}
|
@lucasfernog thats bizarre, running the test now and I'm getting all passes, but when I run codesign verification, I'm getting
|
@lucasfernog this is my test output
|
There's no signing output here. The app id doesn't matter I think, if it does just change it to something else. |
@lucasfernog my bad, I forgot to set environment variables so I could use my developer account to codesign/notarize, just added that, and now I'm seeing this:
|
@lucasfernog I just ran the same codesign function directly on that |
I imagined it was a problem with that test framework, maybe the bundle format is wrong or something. Btw running the "same command" isn't a good test here, we need to make sure the whole bundling process is working with codesign and notarize. |
@lucasfernog I just created a fresh test framework and it seems to have worked, I'm going to push it up to this pull request now |
@lucasfernog let me know if this fixes it for you |
I'll try it as soon as I get home, thank you! |
Maybe symlinks are behaving a little weird when you push and I pull? |
@lucasfernog if you try doing it on the framework inside the test folder, does it still do the same thing? |
Also would be nice if you could set up commit signing, it's a requirement on our repos 😻 |
Sorry! I had not realized that wasn't enabled on my end, fixed! |
(tauri-apps#7774) Co-authored-by: Lucas Nogueira <lucas@tauri.app>
Port of tauri-apps/tauri#7774 Co-authored-by: Trey Smith <trey@fulcrum-acoustic.com> Co-authored-by: Lucas Nogueira <lucas@tauri.app>
* fix: code sign frameworks and binaries Port of tauri-apps/tauri#7774 Co-authored-by: Trey Smith <trey@fulcrum-acoustic.com> Co-authored-by: Lucas Nogueira <lucas@tauri.app> * fix: create target binary directory before copying * chore: update error doc * fix: apply suggestion Co-authored-by: Amr Bashir <amr@crabnebula.dev> --------- Co-authored-by: Trey Smith <trey@fulcrum-acoustic.com> Co-authored-by: Lucas Nogueira <lucas@tauri.app> Co-authored-by: Amr Bashir <amr@crabnebula.dev>
What kind of change does this PR introduce?
Codesigning on Mac requires Frameworks and embedded binaries to be signed from the inside out, this change removes the --deep command on the code signing and individually signs sidecar and frameworks, then the app package
Does this PR introduce a breaking change?
Checklist
fix: remove a typo, closes #___, #___
)Other information
#7690