main executable failed strict validation when signing binary on macOS

[jviotti]

I'm getting an error when code-signing a binary produced by pkg on macOS:

main executable failed strict validation

I couldn't find much information about this on the web, but some causes can be (from https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG309):

• Your Mach-O executable does not conform to modern Mach-O layout rules
• You may be using a third party development product that hasn't been brought up to date, or post-processed your file in unsupported ways

Do you know thay may be causing this? codesign succeeds with other binaries.

Steps to reproduce:

git clone https://github.com/resin-io/etcher
cd etcher
make cli-develop
pkg --output etcher -t node6-macos-x64 lib/cli/etcher.js
codesign --sign "<identity>" -fv etcher

[igorklopov]

Same as #66
@leanderlee pointed right about similarity to PyInstaller.
I confirm the bug. It will be solved soon.

[DxCx]

hey @igorklopov any news on this one? i'm having the same issue

[igorklopov]

No timeline on this issue yet. Much to do on C++ land. Keep finger on the pulse of pkg-fetch

[DxCx]

@igorklopov I might be able to help in here, want to elaborate more on what has to be done?

[ryanwalls]

@igorklopov any updates?

[franklinwesley]

Any news on that?

[m00s]

Any plan to solve this issues? Can I help somehow?
This issue is causing me a lot of problems

[dwasyluk]

It seems like the previous rename-and-sign solution #128 (comment) no longer works so I'm back looking for new solutions.

[bompi88]

@dwasyluk I found this. I have not tested it yet, but it looks promising? https://github.com/dgiagio/warp

[bompi88]

This is also some great readings denoland/deno#986 (comment)

[rmcvey]

@bompi88 and anyone else that hasn't checked out warp yet, allow me to save you some time. I spent half a day trying to get a warp build signed last week. Long story short, it doesn't work, failing with the same error that pkg and others produce :(

I spent the rest of the day trying to get to the bottom of the issue and my working theory is that dynamically linked libraries in the public Node builds (which AFAICT all tools of this variety download and utilize) prevent the use of the hardened runtime, which ultimately prevents signing and notarization. Would appreciate clarification/verification.

[saurabh-deep]

@rmcvey - node-packer by @pmq20 works fine for us. We have been using it for a while now. It signs the binaries which are fine even for notarization. So, no issues with the hardened runtime as well. Event the binary size is less than half of what pkg generates.

Only issue is that the project has gone dormant. Latest support there is for Node version 8.x. There was an active fork maintained by @slee047, which has support till Node version 10.x and had some issues with Node 12. Now that fork has also gone dormant as the maintainer has moved on from Node.js to greener pastures.

If only someone (with C/C++ & may be bit of Ruby knowledge) could maintain a fork of node-packer!

Here are the links -

Original node-packer => https://github.com/pmq20/node-packer
Most active fork so far => https://github.com/slee047/node-packer

Hope this helps!

[nor0x]

any news on this issue, has anyone made some progress on correctly signing a binary? I need to sign a binary on macOS and node-packer seems to be abandoned

[saurabh-deep]

@nor0x - We are also in the same boat. Node 10 doesn't work for us anymore, so node-packer is not an option for us anymore. We need to use Node 12 or 14.

We haven't been able to use pure Node.js option suggested by @rmcvey, or the nexe option suggested by @btsimonh. It would be super awesome if someone (who has been able to get this to work) can share with the community by setting up a project or repo with instructions on how others with less knowledge on the subject (like me) can benefit from their hard work. node-packer, pkgand nexe all did the same by sharing their hard work (creating a single binary) with the wider community. I just wish it could happen!

Don't know if Node.js will ever go the Deno way and provide an out-of-the-box method to do this. They even removed support for _third_party_main.js. 😢

[nor0x]

@saurabh-deep thanks for your reply. Unfortunately i'm no js expert, i would be happy to help as much as i can but i guess the initiative should be started by someone with more expertise

[patrickhulce]

If your only goal here is create an executable that can be used as a child process by a dmg that will pass Apple's notarization, I came up with a workaround that should work for you but am afraid to share too publicly for fear it will be frowned upon by Apple (it doesn't involve truly hardening the executable generated by pkg which I've come to understand is impossible given its current approach). If you/your company is stuck in this situation, feel free to DM me for details.

[btsimonh]

haha.. yes.. some of my 'solution' would be blocked if Apple knew...

[saurabh-deep]

If your only goal here is create an executable that can be used as a child process by a dmg that will pass Apple's notarization, I came up with a workaround that should work for you but am afraid to share too publicly for fear it will be frowned upon by Apple (it doesn't involve truly hardening the executable generated by pkg which I've come to understand is impossible given its current approach). If you/your company is stuck in this situation, feel free to DM me for details.

Hey @patrickhulce! Thank you so much for offering the help. I sent you an email just now, with subject "MacOS binary signing / App notarization". Please respond whenever you get a chance. Much appreciated! ❤️

[WestonThayer]

In case other folks are here looking for a workaround and are just distributing a CLI, all the MacOS Gatekeeper checks are bypassed if you download via curl, which shouldn't be a huge UX issue since, you know, users are downloading a CLI.

curl https://example.com/cli/mac -o ExampleCli
./ExampleCli --version

Edit: you'd have to do chmod +x ./ExampleCli in the above example. Alternative is to download a zip where ExampleCli already had the right file perms:

curl https://example.com/cli/mac.zip -o mac.zip && unzip mac.zip && rm mac.zip
./ExampleCli --version

Or run an install script, where install.sh takes care of all the nitty gritty.

curl https://example.com/cli/mac/install.sh | bash

[jesec]

This issue has been resolved by 0b55f9a . Please let me know if it is still relevant.