Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: codesign doesn't sign frameworks or sidecar, closes #7690 #7774

Merged
merged 10 commits into from
Sep 15, 2023

Conversation

tr3ysmith
Copy link
Contributor

What kind of change does this PR introduce?

Codesigning on Mac requires Frameworks and embedded binaries to be signed from the inside out, this change removes the --deep command on the code signing and individually signs sidecar and frameworks, then the app package

  • Bugfix
  • Feature
  • Docs
  • New Binding issue #___
  • Code style update
  • Refactor
  • Build-related changes
  • Other, please describe:

Does this PR introduce a breaking change?

  • Yes, and the changes were approved in issue #___
  • [X ] No

Checklist

  • When resolving issues, they are referenced in the PR's title (e.g fix: remove a typo, closes #___, #___)
  • A change file is added if any packages will require a version bump due to this PR per the instructions in the readme.
  • I have added a convincing reason for adding this feature, if necessary

Other information

#7690

@lucasfernog
Copy link
Member

@tr3ysmith I pushed some changes and it looks nice, but I can't get the framework signature to be approved by the Apple notarization. I'm using our updater integration test to validate it, if you want to run it too, simply configure your signing/notarization environment variables and run cargo test --test '*' -- --ignored in the root of the repository.

notarytool log $ID -key-id $keyId --key $keyPath --issuer $keyIssuer output:

{
  "logFormatVersion": 1,
  "jobId": "$ID",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "app-updater.zip",
  "uploadDate": "2023-09-15T13:06:58.269Z",
  "sha256": "...",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "app-updater.zip/app-updater.app/Contents/MacOS/app-updater",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "arm64"
    }
  ]
}

codesign -vvv --deep --strict target/debug/bundle/macos/app-updater.app/Contents/MacOS/app-updater output:

--prepared:.../target/debug/bundle/macos/app-updater.app/Contents/Frameworks/test.framework
--validated:.../target/debug/bundle/macos/app-updater.app/Contents/Frameworks/test.framework
target/debug/bundle/macos/app-updater.app/Contents/MacOS/app-updater: embedded framework contains modified or invalid version
In subcomponent: .../target/debug/bundle/macos/app-updater.app/Contents/Frameworks/test.framework

@tr3ysmith
Copy link
Contributor Author

@lucasfernog thats bizarre, running the test now and I'm getting all passes, but when I run codesign verification, I'm getting

app-updater: code has no resources but signature indicates they must be present

@tr3ysmith
Copy link
Contributor Author

@lucasfernog this is my test output

$ cargo test --test '*' -- --ignored                                        
    Finished test [unoptimized + debuginfo] target(s) in 0.50s
     Running tests/update.rs (target/debug/deps/update-470349cf2ab872b3)

running 1 test
     Running [tauri_cli] Command `cargo  build --features custom-protocol`
   Compiling app-updater v0.1.0 (/Users/tr3ysmith/Code/tauri/core/tests/app-updater)
    Finished dev [unoptimized + debuginfo] target(s) in 3.13s
    Bundling [tauri_bundler::bundle::macos::app] app-updater.app (/Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app)
    Bundling [tauri_bundler::bundle::updater_bundle] /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app.tar.gz (/Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app.tar.gz)
    Finished [tauri_bundler::bundle] 1 bundle at:
        /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app
        /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app.tar.gz (updater)

    Finished [tauri_cli::build] 1 updater signature at:
        /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app.tar.gz.sig

     Running [tauri_cli] Command `cargo  build --features custom-protocol`
   Compiling app-updater v0.1.0 (/Users/tr3ysmith/Code/tauri/core/tests/app-updater)
    Finished dev [unoptimized + debuginfo] target(s) in 1.52s
        Warn [tauri_cli::build] The updater is enabled but the bundle target list does not contain `updater`, so the updater artifacts won't be generated.
    Bundling [tauri_bundler::bundle::macos::app] app-updater.app (/Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app)
    Finished [tauri_bundler::bundle] 1 bundle at:
        /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app
        ```

@lucasfernog
Copy link
Member

@lucasfernog this is my test output


$ cargo test --test '*' -- --ignored                                        

    Finished test [unoptimized + debuginfo] target(s) in 0.50s

     Running tests/update.rs (target/debug/deps/update-470349cf2ab872b3)



running 1 test

     Running [tauri_cli] Command `cargo  build --features custom-protocol`

   Compiling app-updater v0.1.0 (/Users/tr3ysmith/Code/tauri/core/tests/app-updater)

    Finished dev [unoptimized + debuginfo] target(s) in 3.13s

    Bundling [tauri_bundler::bundle::macos::app] app-updater.app (/Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app)

    Bundling [tauri_bundler::bundle::updater_bundle] /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app.tar.gz (/Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app.tar.gz)

    Finished [tauri_bundler::bundle] 1 bundle at:

        /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app

        /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app.tar.gz (updater)



    Finished [tauri_cli::build] 1 updater signature at:

        /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app.tar.gz.sig



     Running [tauri_cli] Command `cargo  build --features custom-protocol`

   Compiling app-updater v0.1.0 (/Users/tr3ysmith/Code/tauri/core/tests/app-updater)

    Finished dev [unoptimized + debuginfo] target(s) in 1.52s

        Warn [tauri_cli::build] The updater is enabled but the bundle target list does not contain `updater`, so the updater artifacts won't be generated.

    Bundling [tauri_bundler::bundle::macos::app] app-updater.app (/Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app)

    Finished [tauri_bundler::bundle] 1 bundle at:

        /Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app

        ```

There's no signing output here. The app id doesn't matter I think, if it does just change it to something else.

@tr3ysmith
Copy link
Contributor Author

@lucasfernog my bad, I forgot to set environment variables so I could use my developer account to codesign/notarize, just added that, and now I'm seeing this:

/Users/tr3ysmith/Code/tauri/target/debug/bundle/macos/app-updater.app/Contents/Frameworks/test.framework: the main executable or Info.plist must be a regular file (no symlinks, etc.)

@tr3ysmith
Copy link
Contributor Author

@lucasfernog I just ran the same codesign function directly on that test.framework and then also on another framework I have in another project, and its definitely a problem with that test.framework. I wonder if it got stripped somehow of its correct signature.

@lucasfernog
Copy link
Member

I imagined it was a problem with that test framework, maybe the bundle format is wrong or something.

Btw running the "same command" isn't a good test here, we need to make sure the whole bundling process is working with codesign and notarize.

@tr3ysmith
Copy link
Contributor Author

@lucasfernog I just created a fresh test framework and it seems to have worked, I'm going to push it up to this pull request now

@tr3ysmith
Copy link
Contributor Author

@lucasfernog let me know if this fixes it for you

@lucasfernog
Copy link
Member

I'll try it as soon as I get home, thank you!

@lucasfernog
Copy link
Member

@tr3ysmith

Running [tauri_bundler::bundle::common] Command `codesign  --force -s IDENTITY -vvv target/debug/bundle/macos/app-updater.app/Contents/Frameworks/test.framework`
target/debug/bundle/macos/app-updater.app/Contents/Frameworks/test.framework: bundle format is ambiguous (could be app or framework)

Maybe symlinks are behaving a little weird when you push and I pull?

@tr3ysmith
Copy link
Contributor Author

@lucasfernog if you try doing it on the framework inside the test folder, does it still do the same thing? ./core/tests/app-updater/frameworks

@lucasfernog
Copy link
Member

Also would be nice if you could set up commit signing, it's a requirement on our repos 😻

@tr3ysmith
Copy link
Contributor Author

Also would be nice if you could set up commit signing, it's a requirement on our repos 😻

Sorry! I had not realized that wasn't enabled on my end, fixed!

@lucasfernog lucasfernog merged commit dcdbe3e into tauri-apps:1.x Sep 15, 2023
23 checks passed
tr3ysmith added a commit to tr3ysmith/tauri that referenced this pull request Sep 15, 2023
lucasfernog added a commit that referenced this pull request Sep 24, 2023
Co-authored-by: Lucas Nogueira <lucas@tauri.app>
Co-authored-by: Lucas Fernandes Nogueira <lucas@tauri.studio>
fix: codesign doesn't sign frameworks or sidecar, closes #7690 (#7774)
jason-crabnebula added a commit to jason-crabnebula/cargo-packager that referenced this pull request Oct 19, 2023
Port of tauri-apps/tauri#7774

Co-authored-by: Trey Smith <trey@fulcrum-acoustic.com>
Co-authored-by: Lucas Nogueira <lucas@tauri.app>
amr-crabnebula added a commit to crabnebula-dev/cargo-packager that referenced this pull request Oct 23, 2023
* fix: code sign frameworks and binaries
Port of tauri-apps/tauri#7774

Co-authored-by: Trey Smith <trey@fulcrum-acoustic.com>
Co-authored-by: Lucas Nogueira <lucas@tauri.app>

* fix: create target binary directory before copying

* chore: update error doc

* fix: apply suggestion

Co-authored-by: Amr Bashir <amr@crabnebula.dev>

---------

Co-authored-by: Trey Smith <trey@fulcrum-acoustic.com>
Co-authored-by: Lucas Nogueira <lucas@tauri.app>
Co-authored-by: Amr Bashir <amr@crabnebula.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: 🔎 In audit
Development

Successfully merging this pull request may close these issues.

3 participants