diff --git a/apple-codesign/CHANGELOG.md b/apple-codesign/CHANGELOG.md index 18570749d..a2ae2e8a6 100644 --- a/apple-codesign/CHANGELOG.md +++ b/apple-codesign/CHANGELOG.md @@ -20,6 +20,11 @@ Released on ReleaseDate. additional Mach-O binaries inside bundles, among other potential changes. Ultimately we want this signing mode to converge with the default behavior of Apple's tooling. +* The `sign` command has gained a `--for-notarization` argument that attempts to + engage and enforce signing settings required for Apple notarization. The goal + of the feature is to cut down on notarization failures after successful + signing operations. If you encounter a notarization failure when using this + new flag, consider filing a bug report. * (API) `BundleSigner` now requires calling `collect_nested_bundles()` to register child bundles for signing instead of signing all nested bundles by default. * aws-config 0.57 -> 1.1. diff --git a/apple-codesign/docs/apple_codesign_rcodesign_notarizing.rst b/apple-codesign/docs/apple_codesign_rcodesign_notarizing.rst index de4caa4cf..43f7b994a 100644 --- a/apple-codesign/docs/apple_codesign_rcodesign_notarizing.rst +++ b/apple-codesign/docs/apple_codesign_rcodesign_notarizing.rst @@ -100,6 +100,30 @@ them. They somewhat mirror Apple's official guidance at `Resolving common notarization issues `_, which we highly recommend you read before this documentation. +.. _apple_codesign_notarization_for_notarization: + +Using `sign --for-notarization` +------------------------------- + +The ``rcodesign sign`` command has a ``--for-notarization`` argument that +attempts to engage *Apple notarization compatibility mode*. + +When this flag is used: + +* The signing configuration is validated for notarization compatibility. +* Signing settings are automatically changed to help ensure notarization compatibility. + +This flag is best effort. If you encounter notarization failures when using +this flag that you think could be automatically detected or prevented, +please consider filing a bug report. + +Usage example:: + + rcodesign sign \ + --for-notarization \ + --pem-source developer-id-application.pem \ + MyApp.app + .. _apple_codesign_notarization_problem_apple_first: Notarize with Apple Tooling First diff --git a/apple-codesign/src/certificate.rs b/apple-codesign/src/certificate.rs index 28d764587..197032fee 100644 --- a/apple-codesign/src/certificate.rs +++ b/apple-codesign/src/certificate.rs @@ -900,6 +900,9 @@ pub trait AppleCertificate: Sized { /// certificates as the Organizational Unit field of the subject. So this /// function is just a shortcut for retrieving that. fn apple_team_id(&self) -> Option; + + /// Whether this is a certificate pretending to be signed by an Apple CA but isn't really. + fn is_test_apple_signed_certificate(&self) -> bool; } impl AppleCertificate for CapturedX509Certificate { @@ -1029,6 +1032,15 @@ impl AppleCertificate for CapturedX509Certificate { )) .unwrap_or(None) } + + fn is_test_apple_signed_certificate(&self) -> bool { + if let Ok(digest) = self.sha256_fingerprint() { + hex::encode(digest) + == "5939ad5770d8b977b38d07533754371314744e87a8d606433f689e9bc6b980a0" + } else { + false + } + } } /// Extensions to [X509CertificateBuilder] specializing in Apple certificate behavior. diff --git a/apple-codesign/src/cli/mod.rs b/apple-codesign/src/cli/mod.rs index f42cda101..53e964927 100644 --- a/apple-codesign/src/cli/mod.rs +++ b/apple-codesign/src/cli/mod.rs @@ -1477,6 +1477,27 @@ struct Sign { #[arg(long)] shallow: bool, + /// Indicate that the entity being signed will later be notarized. + /// + /// Notarized software is subject to specific requirements, such as enabling the + /// hardened runtime. + /// + /// The presence of this flag influences signing settings and engages additional + /// checks to help ensure that signed software can be successfully notarized. + /// + /// This flag is best effort. Notarization failures of software signed with + /// this flag may be indicative of bugs in this software. + /// + /// The behavior of this flag is subject to change. As currently implemented, + /// it will: + /// + /// * Require the use of a "Developer ID" signing certificate issued by Apple. + /// * Require the use of a time-stamp server. + /// * Enable the hardened runtime code signature flag on all Mach-O binaries + /// (equivalent to `--code-signature-flags runtime` for all signed paths). + #[arg(long)] + for_notarization: bool, + /// Path to Mach-O binary to sign input_path: PathBuf, @@ -1535,6 +1556,7 @@ impl CliCommand for Sign { } settings.set_shallow(self.shallow); + settings.set_for_notarization(self.for_notarization); for pattern in &self.exclude { settings.add_path_exclusion(pattern)?; @@ -1542,6 +1564,8 @@ impl CliCommand for Sign { ScopedSigningSettings(c.paths.clone()).load_into_settings(&mut settings)?; + settings.ensure_for_notarization_settings()?; + // Settings are locked in. Proceed to sign. let signer = UnifiedSigner::new(settings); diff --git a/apple-codesign/src/error.rs b/apple-codesign/src/error.rs index bfde3e620..bdcd07b6e 100644 --- a/apple-codesign/src/error.rs +++ b/apple-codesign/src/error.rs @@ -286,6 +286,9 @@ pub enum AppleCodesignError { #[error("Could not find App Store Connect API key in default search locations")] AppStoreConnectApiKeyNotFound, + #[error("signing settings are not compatible with notarization")] + ForNotarizationInvalidSettings, + #[error("do not know how to notarize {0}")] NotarizeUnsupportedPath(PathBuf), diff --git a/apple-codesign/src/signing_settings.rs b/apple-codesign/src/signing_settings.rs index 7dc653744..f74ac86c9 100644 --- a/apple-codesign/src/signing_settings.rs +++ b/apple-codesign/src/signing_settings.rs @@ -6,7 +6,7 @@ use { crate::{ - certificate::AppleCertificate, + certificate::{AppleCertificate, CodeSigningCertificateExtension}, code_directory::CodeSignatureFlags, code_requirement::CodeRequirementExpression, cryptography::DigestType, @@ -19,7 +19,7 @@ use { goblin::mach::cputype::{ CpuType, CPU_TYPE_ARM, CPU_TYPE_ARM64, CPU_TYPE_ARM64_32, CPU_TYPE_X86_64, }, - log::info, + log::{error, info}, reqwest::{IntoUrl, Url}, std::{ collections::{BTreeMap, BTreeSet}, @@ -303,6 +303,7 @@ pub struct SigningSettings<'key> { signing_time: Option>, path_exclusion_patterns: Vec, shallow: bool, + for_notarization: bool, // Scope-specific settings. // These are BTreeMap so when we filter the keys, keys with higher precedence come @@ -526,6 +527,19 @@ impl<'key> SigningSettings<'key> { self.shallow = v; } + /// Whether the signed asset will later be notarized. + /// + /// This serves as a hint to engage additional signing settings that are required + /// for an asset to be successfully notarized by Apple. + pub fn for_notarization(&self) -> bool { + self.for_notarization + } + + /// Set whether to engage notarization compatibility mode. + pub fn set_for_notarization(&mut self, v: bool) { + self.for_notarization = v; + } + /// Obtain the primary digest type to use. pub fn digest_type(&self, scope: impl AsRef) -> DigestType { self.digest_type @@ -680,7 +694,21 @@ impl<'key> SigningSettings<'key> { &self, scope: impl AsRef, ) -> Option { - self.code_signature_flags.get(scope.as_ref()).copied() + let mut flags = self.code_signature_flags.get(scope.as_ref()).copied(); + + if self.for_notarization { + flags.get_or_insert(CodeSignatureFlags::default()); + + flags.as_mut().map(|flags| { + if !flags.contains(CodeSignatureFlags::RUNTIME) { + info!("adding hardened runtime flag because notarization mode enabled"); + } + + flags.insert(CodeSignatureFlags::RUNTIME); + }); + } + + flags } /// Set code signature flags for signed Mach-O binaries. @@ -1245,6 +1273,7 @@ impl<'key> SigningSettings<'key> { team_id: self.team_id.clone(), path_exclusion_patterns: self.path_exclusion_patterns.clone(), shallow: self.shallow, + for_notarization: self.for_notarization, digest_type: self .digest_type .clone() @@ -1352,6 +1381,49 @@ impl<'key> SigningSettings<'key> { .collect::>(), } } + + /// Attempt to validate the settings consistency when the `for notarization` flag is set. + /// + /// On error, logs errors at error level and returns an Err. + pub fn ensure_for_notarization_settings(&self) -> Result<(), AppleCodesignError> { + if !self.for_notarization { + return Ok(()); + } + + let mut have_error = false; + + if let Some((_, cert)) = self.signing_key() { + if !cert.chains_to_apple_root_ca() && !cert.is_test_apple_signed_certificate() { + error!("--for-notarization requires use of an Apple-issued signing certificate; current certificate is not signed by Apple"); + error!("hint: use a signing certificate issued by Apple that is signed by an Apple certificate authority"); + have_error = true; + } + + if !cert.apple_code_signing_extensions().into_iter().any(|e| { + e == CodeSigningCertificateExtension::DeveloperIdApplication + || e == CodeSigningCertificateExtension::DeveloperIdInstaller + || e == CodeSigningCertificateExtension::DeveloperIdKernel {} + }) { + error!("--for-notarization requires use of a Developer ID signing certificate; current certificate doesn't appear to be such a certificate"); + error!("hint: use a `Developer ID Application`, `Developer ID Installer`, or `Developer ID Kernel` certificate"); + have_error = true; + } + + if self.time_stamp_url().is_none() { + error!("--for-notarization requires use of a time-stamp protocol server; none configured"); + have_error = true; + } + } else { + error!("--for-notarization requires use of a Developer ID signing certificate; no signing certificate was provided"); + have_error = true; + } + + if have_error { + Err(AppleCodesignError::ForNotarizationInvalidSettings) + } else { + Ok(()) + } + } } #[cfg(test)] @@ -1602,4 +1674,24 @@ mod tests { Ok(()) } + + #[test] + fn for_notarization_handling() -> Result<(), AppleCodesignError> { + let mut settings = SigningSettings::default(); + settings.set_for_notarization(true); + + assert_eq!( + settings.code_signature_flags(SettingsScope::Main), + Some(CodeSignatureFlags::RUNTIME) + ); + + assert_eq!( + settings + .as_bundle_macho_settings("") + .code_signature_flags(SettingsScope::Main), + Some(CodeSignatureFlags::RUNTIME) + ); + + Ok(()) + } } diff --git a/apple-codesign/src/testdata/self-signed-rsa-developer-id-application2.pem b/apple-codesign/src/testdata/self-signed-rsa-developer-id-application2.pem new file mode 100644 index 000000000..91a75beb1 --- /dev/null +++ b/apple-codesign/src/testdata/self-signed-rsa-developer-id-application2.pem @@ -0,0 +1,51 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCxB3u9PkOjy9K7 +vaqeAQ7OUmBEtx01NjzUn4LEe5BTL0/bh02KxG+edlaVOmdeMF8nff89yrP6k3L+ +lA7p19uzACxjEYowytUyeLf1RCF9z+6rEeIAqW7+PEYH+yeiOrdSzd5DIaf/PGYk +KxhHyp9OuAS8CDimfvXBRV7PmpKMj+ostOy0Tlj6po1+Nci+SepZRNP/YdFTi0Yd +q9B/FztslFhvX/Ffc8rhmP8GQ8lPJqJOBcLss+aKAz9slFCzVahqmqXu8rz1b3E/ +5JHv5RFFBxgvwuXWaiO1mLTn62tIWTiG5rmR0xqJ4VucXk9DvOEAt1CxOBVupXOd +5IDt+qZ7AgMBAAECggEAH8IU6704yzCsjGuZKSFNc6wJgypKfhpNzWMURYVZPeMV +828RdRyKXaYjIEBK/PW2jFIpMP+lTAWZspwDFOZZjoIwdFFYNiqdFqHbdo+TZouf +6Gab4byDoe5ULehbktnvu1YdUnO+PKasOD7W60IpVCjlCIp9Bzltgw+b06iKM9bt +KIPvBXDRgIp6eSBzJFxzj3zmdnSQn1OSF4V4oQt6gbR3NCJIcNyLXL1gEqtKg/AS +swbpOVrPpXWd2x3gND8zvHD90vEiIesDNoSXKlclvLpQ30tkhkFh78xSe5sW7XEL +hIKOExm+VCHoXTdjZnuCkXBkUIkek8T0KNs7A3LgeQKBgQDQXIDvGwzDhR+bdG5C +azKI7SSqvIVpSngfGDCL8OLkYcoOwSClPOwZbY+UCXLppjrkoCD6QwJQ6CyCJwCK +n9hAAWazOQPaerS3zbq2ig+HCQg12zZZ9/oXe7C/sRsq02phxV2+Km+v4uIyalQ9 +qGsywA1PN4/mFJ3H0w0QZXV3bwKBgQDZgRhegfulaWvK6x93EJ+UjLYv2d1oBBsn +/87Vif/q14Ms0RNSmUPy1c8WuF8ZYOD4d7S+jcc/92JZWwJK+8pm6pHazdIIPCAP +GCcp9fkS6gOu4twdC6oz34mJ3lqdmHKHz+0hhC2JqV1uwvPS5k/DcKfKR2+ifxQE +xCBocLObtQKBgGWLH17n3OGQiCXXqUB/Q6KNh9gZhh8ZJs9ol4grvje1HKbyIfnF +Zf7CcT2hGTqbQ4pWK5wref56F+7aGR515grTY/ymJaWdNWN6RKtfP0/8695rVeKk +wmIdarcRFf9aBzdc22GpBsM+HCSbwzBFWvDhvdrEZkGn/Hj89xntiEDLAoGAb1sR +r+kafkBv6I7iKCJBoVs9N1hya3uWr67fJSKm/IPj68ELBIHlcOEYSkiQn7yi0XLv +/ZM2zMAKATeAAAXTRUeY7w3rFz45J6E1A92j7JQU2KfbC5/aPv6WOxi1CfRvxqqk +fEFg0xb79+Yl0PcLJUN7FCvosqgfBqWm9fGlcvUCgYAYvALoZPz2z6zzqURDKPWk +lkrW8nQVFg0eeTJNBiU1ipXS28oEGQISdjlYCHD1Ds3W8JHav/i6QnCaAXb5PtHd +DlylI7U+tSZaC83+oPu/BaKVUO9n9e0mqj2oCD7W2gTBazac3d9F1ncfSkEhpDSB +i6+0+GL62SGnzAF52ajf0g== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIID4DCCAsigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBizEYMBYGCgmSJomT8ixk +AQEMCGRlYWRiZWVmMTkwNwYDVQQDDDBEZXZlbG9wZXIgSUQgQXBwbGljYXRpb246 +IEpvaG4gU2lnbmVyIChkZWFkYmVlZikxETAPBgNVBAsMCGRlYWRiZWVmMRQwEgYD +VQQKDAtKb2huIFNpZ25lcjELMAkGA1UEBhMCWFgwHhcNMjQwMTE3MDI0ODE2WhcN +MzcwOTI1MDI0ODE2WjCBizEYMBYGCgmSJomT8ixkAQEMCGRlYWRiZWVmMTkwNwYD +VQQDDDBEZXZlbG9wZXIgSUQgQXBwbGljYXRpb246IEpvaG4gU2lnbmVyIChkZWFk +YmVlZikxETAPBgNVBAsMCGRlYWRiZWVmMRQwEgYDVQQKDAtKb2huIFNpZ25lcjEL +MAkGA1UEBhMCWFgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxB3u9 +PkOjy9K7vaqeAQ7OUmBEtx01NjzUn4LEe5BTL0/bh02KxG+edlaVOmdeMF8nff89 +yrP6k3L+lA7p19uzACxjEYowytUyeLf1RCF9z+6rEeIAqW7+PEYH+yeiOrdSzd5D +Iaf/PGYkKxhHyp9OuAS8CDimfvXBRV7PmpKMj+ostOy0Tlj6po1+Nci+SepZRNP/ +YdFTi0Ydq9B/FztslFhvX/Ffc8rhmP8GQ8lPJqJOBcLss+aKAz9slFCzVahqmqXu +8rz1b3E/5JHv5RFFBxgvwuXWaiO1mLTn62tIWTiG5rmR0xqJ4VucXk9DvOEAt1Cx +OBVupXOd5IDt+qZ7AgMBAAGjTTBLMAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAww +CgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgeAMBMGCiqGSIb3Y2QGAQ0BAf8EAgUA +MA0GCSqGSIb3DQEBCwUAA4IBAQCGzLhwja5AWKrla/VNjhXdKFiendu1VnGBwFQr +WtMVSlXirqjG32WaayFJAjtp3MfXgLD6Yu2isB6I06LimuET4e2jR9nHcxtgZZ0B +iowzgoNi+OA9sUSuZyrgzHwO7+tRmMroaMSURrzwCsffFIiiL8thgvZFZvtCRKm8 +7pHzhvIGmjc5BYY8TB3BoWPZiqZAXY1cpw66gPVi2pQ6zitUtv1C3gzwLxQMDtnn +SWm4XWWeihFcL6KgHxPqgnJ9YsRGjDbJ5LcrYk+uinXxSgzhv2Jlq+KD0VxvM6xr +foxvH3jp8ISnTYjajhPQ8zekYE5iZN+GPtF0RjmtQ6RMlweR +-----END CERTIFICATE----- diff --git a/apple-codesign/tests/cmd/sign-for-notarization.trycmd b/apple-codesign/tests/cmd/sign-for-notarization.trycmd new file mode 100644 index 000000000..de0abab38 --- /dev/null +++ b/apple-codesign/tests/cmd/sign-for-notarization.trycmd @@ -0,0 +1,137 @@ +Sign a bundle containing multiple Mach-O binaries. + +``` +$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/MyApp +assuming default minimum version 11.0.0 +writing Mach-O to MyApp.app/Contents/MacOS/MyApp + +$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/bin +assuming default minimum version 11.0.0 +writing Mach-O to MyApp.app/Contents/MacOS/bin + +$ rcodesign debug-create-macho --file-type dylib MyApp.app/Contents/MacOS/lib.dylib +assuming default minimum version 11.0.0 +writing Mach-O to MyApp.app/Contents/MacOS/lib.dylib + +$ rcodesign debug-create-macho MyApp.app/Contents/Resources/non-nested-bin +assuming default minimum version 11.0.0 +writing Mach-O to MyApp.app/Contents/Resources/non-nested-bin + +$ rcodesign debug-create-info-plist --bundle-name MyApp MyApp.app/Contents/Info.plist +writing MyApp.app/Contents/Info.plist + +$ rcodesign sign --for-notarization MyApp.app MyApp.app.signed +? 1 +--for-notarization requires use of a Developer ID signing certificate; no signing certificate was provided +Error: signing settings are not compatible with notarization + +$ rcodesign sign --for-notarization --pem-source src/testdata/self-signed-rsa-apple-development.pem MyApp.app MyApp.app.signed +? 1 +reading PEM data from src/testdata/self-signed-rsa-apple-development.pem +registering signing key +using time-stamp protocol server http://timestamp.apple.com/ts01 +--for-notarization requires use of an Apple-issued signing certificate; current certificate is not signed by Apple +hint: use a signing certificate issued by Apple that is signed by an Apple certificate authority +--for-notarization requires use of a Developer ID signing certificate; current certificate doesn't appear to be such a certificate +hint: use a `Developer ID Application`, `Developer ID Installer`, or `Developer ID Kernel` certificate +Error: signing settings are not compatible with notarization + +$ rcodesign sign --for-notarization --pem-source src/testdata/self-signed-rsa-developer-id-application.pem MyApp.app MyApp.app.signed +? 1 +reading PEM data from src/testdata/self-signed-rsa-developer-id-application.pem +registering signing key +using time-stamp protocol server http://timestamp.apple.com/ts01 +--for-notarization requires use of an Apple-issued signing certificate; current certificate is not signed by Apple +hint: use a signing certificate issued by Apple that is signed by an Apple certificate authority +Error: signing settings are not compatible with notarization + +$ rcodesign sign --for-notarization --pem-source src/testdata/self-signed-rsa-developer-id-application.pem --timestamp-url none MyApp.app MyApp.app.signed +? 1 +reading PEM data from src/testdata/self-signed-rsa-developer-id-application.pem +registering signing key +--for-notarization requires use of an Apple-issued signing certificate; current certificate is not signed by Apple +hint: use a signing certificate issued by Apple that is signed by an Apple certificate authority +--for-notarization requires use of a time-stamp protocol server; none configured +Error: signing settings are not compatible with notarization + +$ rcodesign sign -v --for-notarization --signing-time 2024-01-01T00:00:00Z --pem-source src/testdata/self-signed-rsa-developer-id-application2.pem MyApp.app MyApp.app.signed +reading PEM data from src/testdata/self-signed-rsa-developer-id-application2.pem +adding private key from src/testdata/self-signed-rsa-developer-id-application2.pem +adding certificate from src/testdata/self-signed-rsa-developer-id-application2.pem +registering signing key +using time-stamp protocol server http://timestamp.apple.com/ts01 +signing MyApp.app to MyApp.app.signed +signing bundle at MyApp.app +signing bundle at MyApp.app into MyApp.app.signed +collecting code resources files +copying file MyApp.app/Contents/Info.plist -> MyApp.app.signed/Contents/Info.plist +sealing nested Mach-O binary: Contents/MacOS/bin +signing Mach-O file Contents/MacOS/bin +setting binary identifier based on path: bin +inferring default signing settings from Mach-O binary +signing Mach-O binary at index 0 +deriving code requirements from signing certificate +deriving code requirements from signing certificate +binary targets macOS >= 11.0.0 with SDK 11.0.0 +adding hardened runtime flag because notarization mode enabled +adding code signature flags from signing settings: CodeSignatureFlags(RUNTIME) +using hardened runtime version 11.0.0 derived from SDK version +code directory version: 132352 +creating cryptographic signature with certificate Developer ID Application: John Signer (deadbeef) +Using time-stamp server http://timestamp.apple.com/ts01 +Using signing time 2024-01-01T00:00:00+00:00 +total signature size: [..] bytes +writing Mach-O to MyApp.app.signed/Contents/MacOS/bin +sealing nested Mach-O binary: Contents/MacOS/lib.dylib +signing Mach-O file Contents/MacOS/lib.dylib +setting binary identifier based on path: lib +inferring default signing settings from Mach-O binary +signing Mach-O binary at index 0 +deriving code requirements from signing certificate +deriving code requirements from signing certificate +binary targets macOS >= 11.0.0 with SDK 11.0.0 +adding hardened runtime flag because notarization mode enabled +adding code signature flags from signing settings: CodeSignatureFlags(RUNTIME) +using hardened runtime version 11.0.0 derived from SDK version +code directory version: 132352 +creating cryptographic signature with certificate Developer ID Application: John Signer (deadbeef) +Using time-stamp server http://timestamp.apple.com/ts01 +Using signing time 2024-01-01T00:00:00+00:00 +total signature size: [..] bytes +writing Mach-O to MyApp.app.signed/Contents/MacOS/lib.dylib +non-nested file is a Mach-O binary; signing accordingly Contents/Resources/non-nested-bin +signing Mach-O file Contents/Resources/non-nested-bin +setting binary identifier based on path: non-nested-bin +inferring default signing settings from Mach-O binary +signing Mach-O binary at index 0 +deriving code requirements from signing certificate +deriving code requirements from signing certificate +binary targets macOS >= 11.0.0 with SDK 11.0.0 +adding hardened runtime flag because notarization mode enabled +adding code signature flags from signing settings: CodeSignatureFlags(RUNTIME) +using hardened runtime version 11.0.0 derived from SDK version +code directory version: 132352 +creating cryptographic signature with certificate Developer ID Application: John Signer (deadbeef) +Using time-stamp server http://timestamp.apple.com/ts01 +Using signing time 2024-01-01T00:00:00+00:00 +total signature size: [..] bytes +writing Mach-O to MyApp.app.signed/Contents/Resources/non-nested-bin +writing sealed resources to MyApp.app.signed/Contents/_CodeSignature/CodeResources +signing main executable Contents/MacOS/MyApp +setting main executable binary identifier to com.example.mybundle (derived from CFBundleIdentifier in Info.plist) +inferring default signing settings from Mach-O binary +signing Mach-O binary at index 0 +deriving code requirements from signing certificate +deriving code requirements from signing certificate +binary targets macOS >= 11.0.0 with SDK 11.0.0 +adding hardened runtime flag because notarization mode enabled +adding code signature flags from signing settings: CodeSignatureFlags(RUNTIME) +using hardened runtime version 11.0.0 derived from SDK version +code directory version: 132352 +creating cryptographic signature with certificate Developer ID Application: John Signer (deadbeef) +Using time-stamp server http://timestamp.apple.com/ts01 +Using signing time 2024-01-01T00:00:00+00:00 +total signature size: [..] bytes +writing signed main executable to MyApp.app.signed/Contents/MacOS/MyApp + +``` diff --git a/apple-codesign/tests/cmd/sign.trycmd b/apple-codesign/tests/cmd/sign.trycmd index 8965467a0..ec22fd6ff 100644 --- a/apple-codesign/tests/cmd/sign.trycmd +++ b/apple-codesign/tests/cmd/sign.trycmd @@ -346,6 +346,19 @@ Options: Activating shallow signing mode can result in signing failures if the skipped nested entities aren't signed. For example, when signing an application bundle containing an unsigned nested bundle/framework, signing will fail with an error about a missing code signature. Always be sure to sign nested entities before their parents when this mode is activated. + --for-notarization + Indicate that the entity being signed will later be notarized. + + Notarized software is subject to specific requirements, such as enabling the hardened runtime. + + The presence of this flag influences signing settings and engages additional checks to help ensure that signed software can be successfully notarized. + + This flag is best effort. Notarization failures of software signed with this flag may be indicative of bugs in this software. + + The behavior of this flag is subject to change. As currently implemented, it will: + + * Require the use of a "Developer ID" signing certificate issued by Apple. * Require the use of a time-stamp server. * Enable the hardened runtime code signature flag on all Mach-O binaries (equivalent to `--code-signature-flags runtime` for all signed paths). + --smartcard-slot Smartcard slot number of signing certificate to use (9c is common)