From 8e1110607ed78966062fad8f6bc0a0a6cef546bf Mon Sep 17 00:00:00 2001 From: Gregory Szorc Date: Tue, 16 Jan 2024 20:43:56 -0800 Subject: [PATCH] apple-codesign: implement a sign --for-notarization mode Getting software to pass Apple's notarization requirements can be subtly difficult and often requires multiple failed notarization attempts before success. This commit introduces a `sign --for-notarization` flag that attempts to validate and engage signing settings to help ensure signed software passes notarization. The logic is best effort and I'm sure there are gaps. But for now, it seems better than nothing. Related to #118. --- apple-codesign/CHANGELOG.md | 5 + .../apple_codesign_rcodesign_notarizing.rst | 24 +++ apple-codesign/src/certificate.rs | 12 ++ apple-codesign/src/cli/mod.rs | 24 +++ apple-codesign/src/error.rs | 3 + apple-codesign/src/signing_settings.rs | 98 ++++++++++++- ...f-signed-rsa-developer-id-application2.pem | 51 +++++++ .../tests/cmd/sign-for-notarization.trycmd | 137 ++++++++++++++++++ apple-codesign/tests/cmd/sign.trycmd | 13 ++ 9 files changed, 364 insertions(+), 3 deletions(-) create mode 100644 apple-codesign/src/testdata/self-signed-rsa-developer-id-application2.pem create mode 100644 apple-codesign/tests/cmd/sign-for-notarization.trycmd diff --git a/apple-codesign/CHANGELOG.md b/apple-codesign/CHANGELOG.md index 18570749d..a2ae2e8a6 100644 --- a/apple-codesign/CHANGELOG.md +++ b/apple-codesign/CHANGELOG.md @@ -20,6 +20,11 @@ Released on ReleaseDate. additional Mach-O binaries inside bundles, among other potential changes. Ultimately we want this signing mode to converge with the default behavior of Apple's tooling. +* The `sign` command has gained a `--for-notarization` argument that attempts to + engage and enforce signing settings required for Apple notarization. The goal + of the feature is to cut down on notarization failures after successful + signing operations. If you encounter a notarization failure when using this + new flag, consider filing a bug report. * (API) `BundleSigner` now requires calling `collect_nested_bundles()` to register child bundles for signing instead of signing all nested bundles by default. * aws-config 0.57 -> 1.1. diff --git a/apple-codesign/docs/apple_codesign_rcodesign_notarizing.rst b/apple-codesign/docs/apple_codesign_rcodesign_notarizing.rst index de4caa4cf..43f7b994a 100644 --- a/apple-codesign/docs/apple_codesign_rcodesign_notarizing.rst +++ b/apple-codesign/docs/apple_codesign_rcodesign_notarizing.rst @@ -100,6 +100,30 @@ them. They somewhat mirror Apple's official guidance at `Resolving common notarization issues `_, which we highly recommend you read before this documentation. +.. _apple_codesign_notarization_for_notarization: + +Using `sign --for-notarization` +------------------------------- + +The ``rcodesign sign`` command has a ``--for-notarization`` argument that +attempts to engage *Apple notarization compatibility mode*. + +When this flag is used: + +* The signing configuration is validated for notarization compatibility. +* Signing settings are automatically changed to help ensure notarization compatibility. + +This flag is best effort. If you encounter notarization failures when using +this flag that you think could be automatically detected or prevented, +please consider filing a bug report. + +Usage example:: + + rcodesign sign \ + --for-notarization \ + --pem-source developer-id-application.pem \ + MyApp.app + .. _apple_codesign_notarization_problem_apple_first: Notarize with Apple Tooling First diff --git a/apple-codesign/src/certificate.rs b/apple-codesign/src/certificate.rs index 28d764587..197032fee 100644 --- a/apple-codesign/src/certificate.rs +++ b/apple-codesign/src/certificate.rs @@ -900,6 +900,9 @@ pub trait AppleCertificate: Sized { /// certificates as the Organizational Unit field of the subject. So this /// function is just a shortcut for retrieving that. fn apple_team_id(&self) -> Option; + + /// Whether this is a certificate pretending to be signed by an Apple CA but isn't really. + fn is_test_apple_signed_certificate(&self) -> bool; } impl AppleCertificate for CapturedX509Certificate { @@ -1029,6 +1032,15 @@ impl AppleCertificate for CapturedX509Certificate { )) .unwrap_or(None) } + + fn is_test_apple_signed_certificate(&self) -> bool { + if let Ok(digest) = self.sha256_fingerprint() { + hex::encode(digest) + == "5939ad5770d8b977b38d07533754371314744e87a8d606433f689e9bc6b980a0" + } else { + false + } + } } /// Extensions to [X509CertificateBuilder] specializing in Apple certificate behavior. diff --git a/apple-codesign/src/cli/mod.rs b/apple-codesign/src/cli/mod.rs index f42cda101..53e964927 100644 --- a/apple-codesign/src/cli/mod.rs +++ b/apple-codesign/src/cli/mod.rs @@ -1477,6 +1477,27 @@ struct Sign { #[arg(long)] shallow: bool, + /// Indicate that the entity being signed will later be notarized. + /// + /// Notarized software is subject to specific requirements, such as enabling the + /// hardened runtime. + /// + /// The presence of this flag influences signing settings and engages additional + /// checks to help ensure that signed software can be successfully notarized. + /// + /// This flag is best effort. Notarization failures of software signed with + /// this flag may be indicative of bugs in this software. + /// + /// The behavior of this flag is subject to change. As currently implemented, + /// it will: + /// + /// * Require the use of a "Developer ID" signing certificate issued by Apple. + /// * Require the use of a time-stamp server. + /// * Enable the hardened runtime code signature flag on all Mach-O binaries + /// (equivalent to `--code-signature-flags runtime` for all signed paths). + #[arg(long)] + for_notarization: bool, + /// Path to Mach-O binary to sign input_path: PathBuf, @@ -1535,6 +1556,7 @@ impl CliCommand for Sign { } settings.set_shallow(self.shallow); + settings.set_for_notarization(self.for_notarization); for pattern in &self.exclude { settings.add_path_exclusion(pattern)?; @@ -1542,6 +1564,8 @@ impl CliCommand for Sign { ScopedSigningSettings(c.paths.clone()).load_into_settings(&mut settings)?; + settings.ensure_for_notarization_settings()?; + // Settings are locked in. Proceed to sign. let signer = UnifiedSigner::new(settings); diff --git a/apple-codesign/src/error.rs b/apple-codesign/src/error.rs index bfde3e620..bdcd07b6e 100644 --- a/apple-codesign/src/error.rs +++ b/apple-codesign/src/error.rs @@ -286,6 +286,9 @@ pub enum AppleCodesignError { #[error("Could not find App Store Connect API key in default search locations")] AppStoreConnectApiKeyNotFound, + #[error("signing settings are not compatible with notarization")] + ForNotarizationInvalidSettings, + #[error("do not know how to notarize {0}")] NotarizeUnsupportedPath(PathBuf), diff --git a/apple-codesign/src/signing_settings.rs b/apple-codesign/src/signing_settings.rs index 7dc653744..f74ac86c9 100644 --- a/apple-codesign/src/signing_settings.rs +++ b/apple-codesign/src/signing_settings.rs @@ -6,7 +6,7 @@ use { crate::{ - certificate::AppleCertificate, + certificate::{AppleCertificate, CodeSigningCertificateExtension}, code_directory::CodeSignatureFlags, code_requirement::CodeRequirementExpression, cryptography::DigestType, @@ -19,7 +19,7 @@ use { goblin::mach::cputype::{ CpuType, CPU_TYPE_ARM, CPU_TYPE_ARM64, CPU_TYPE_ARM64_32, CPU_TYPE_X86_64, }, - log::info, + log::{error, info}, reqwest::{IntoUrl, Url}, std::{ collections::{BTreeMap, BTreeSet}, @@ -303,6 +303,7 @@ pub struct SigningSettings<'key> { signing_time: Option>, path_exclusion_patterns: Vec, shallow: bool, + for_notarization: bool, // Scope-specific settings. // These are BTreeMap so when we filter the keys, keys with higher precedence come @@ -526,6 +527,19 @@ impl<'key> SigningSettings<'key> { self.shallow = v; } + /// Whether the signed asset will later be notarized. + /// + /// This serves as a hint to engage additional signing settings that are required + /// for an asset to be successfully notarized by Apple. + pub fn for_notarization(&self) -> bool { + self.for_notarization + } + + /// Set whether to engage notarization compatibility mode. + pub fn set_for_notarization(&mut self, v: bool) { + self.for_notarization = v; + } + /// Obtain the primary digest type to use. pub fn digest_type(&self, scope: impl AsRef) -> DigestType { self.digest_type @@ -680,7 +694,21 @@ impl<'key> SigningSettings<'key> { &self, scope: impl AsRef, ) -> Option { - self.code_signature_flags.get(scope.as_ref()).copied() + let mut flags = self.code_signature_flags.get(scope.as_ref()).copied(); + + if self.for_notarization { + flags.get_or_insert(CodeSignatureFlags::default()); + + flags.as_mut().map(|flags| { + if !flags.contains(CodeSignatureFlags::RUNTIME) { + info!("adding hardened runtime flag because notarization mode enabled"); + } + + flags.insert(CodeSignatureFlags::RUNTIME); + }); + } + + flags } /// Set code signature flags for signed Mach-O binaries. @@ -1245,6 +1273,7 @@ impl<'key> SigningSettings<'key> { team_id: self.team_id.clone(), path_exclusion_patterns: self.path_exclusion_patterns.clone(), shallow: self.shallow, + for_notarization: self.for_notarization, digest_type: self .digest_type .clone() @@ -1352,6 +1381,49 @@ impl<'key> SigningSettings<'key> { .collect::>(), } } + + /// Attempt to validate the settings consistency when the `for notarization` flag is set. + /// + /// On error, logs errors at error level and returns an Err. + pub fn ensure_for_notarization_settings(&self) -> Result<(), AppleCodesignError> { + if !self.for_notarization { + return Ok(()); + } + + let mut have_error = false; + + if let Some((_, cert)) = self.signing_key() { + if !cert.chains_to_apple_root_ca() && !cert.is_test_apple_signed_certificate() { + error!("--for-notarization requires use of an Apple-issued signing certificate; current certificate is not signed by Apple"); + error!("hint: use a signing certificate issued by Apple that is signed by an Apple certificate authority"); + have_error = true; + } + + if !cert.apple_code_signing_extensions().into_iter().any(|e| { + e == CodeSigningCertificateExtension::DeveloperIdApplication + || e == CodeSigningCertificateExtension::DeveloperIdInstaller + || e == CodeSigningCertificateExtension::DeveloperIdKernel {} + }) { + error!("--for-notarization requires use of a Developer ID signing certificate; current certificate doesn't appear to be such a certificate"); + error!("hint: use a `Developer ID Application`, `Developer ID Installer`, or `Developer ID Kernel` certificate"); + have_error = true; + } + + if self.time_stamp_url().is_none() { + error!("--for-notarization requires use of a time-stamp protocol server; none configured"); + have_error = true; + } + } else { + error!("--for-notarization requires use of a Developer ID signing certificate; no signing certificate was provided"); + have_error = true; + } + + if have_error { + Err(AppleCodesignError::ForNotarizationInvalidSettings) + } else { + Ok(()) + } + } } #[cfg(test)] @@ -1602,4 +1674,24 @@ mod tests { Ok(()) } + + #[test] + fn for_notarization_handling() -> Result<(), AppleCodesignError> { + let mut settings = SigningSettings::default(); + settings.set_for_notarization(true); + + assert_eq!( + settings.code_signature_flags(SettingsScope::Main), + Some(CodeSignatureFlags::RUNTIME) + ); + + assert_eq!( + settings + .as_bundle_macho_settings("") + .code_signature_flags(SettingsScope::Main), + Some(CodeSignatureFlags::RUNTIME) + ); + + Ok(()) + } } diff --git a/apple-codesign/src/testdata/self-signed-rsa-developer-id-application2.pem b/apple-codesign/src/testdata/self-signed-rsa-developer-id-application2.pem new file mode 100644 index 000000000..91a75beb1 --- /dev/null +++ b/apple-codesign/src/testdata/self-signed-rsa-developer-id-application2.pem @@ -0,0 +1,51 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCxB3u9PkOjy9K7 +vaqeAQ7OUmBEtx01NjzUn4LEe5BTL0/bh02KxG+edlaVOmdeMF8nff89yrP6k3L+ +lA7p19uzACxjEYowytUyeLf1RCF9z+6rEeIAqW7+PEYH+yeiOrdSzd5DIaf/PGYk +KxhHyp9OuAS8CDimfvXBRV7PmpKMj+ostOy0Tlj6po1+Nci+SepZRNP/YdFTi0Yd +q9B/FztslFhvX/Ffc8rhmP8GQ8lPJqJOBcLss+aKAz9slFCzVahqmqXu8rz1b3E/ +5JHv5RFFBxgvwuXWaiO1mLTn62tIWTiG5rmR0xqJ4VucXk9DvOEAt1CxOBVupXOd +5IDt+qZ7AgMBAAECggEAH8IU6704yzCsjGuZKSFNc6wJgypKfhpNzWMURYVZPeMV +828RdRyKXaYjIEBK/PW2jFIpMP+lTAWZspwDFOZZjoIwdFFYNiqdFqHbdo+TZouf +6Gab4byDoe5ULehbktnvu1YdUnO+PKasOD7W60IpVCjlCIp9Bzltgw+b06iKM9bt +KIPvBXDRgIp6eSBzJFxzj3zmdnSQn1OSF4V4oQt6gbR3NCJIcNyLXL1gEqtKg/AS +swbpOVrPpXWd2x3gND8zvHD90vEiIesDNoSXKlclvLpQ30tkhkFh78xSe5sW7XEL +hIKOExm+VCHoXTdjZnuCkXBkUIkek8T0KNs7A3LgeQKBgQDQXIDvGwzDhR+bdG5C +azKI7SSqvIVpSngfGDCL8OLkYcoOwSClPOwZbY+UCXLppjrkoCD6QwJQ6CyCJwCK +n9hAAWazOQPaerS3zbq2ig+HCQg12zZZ9/oXe7C/sRsq02phxV2+Km+v4uIyalQ9 +qGsywA1PN4/mFJ3H0w0QZXV3bwKBgQDZgRhegfulaWvK6x93EJ+UjLYv2d1oBBsn +/87Vif/q14Ms0RNSmUPy1c8WuF8ZYOD4d7S+jcc/92JZWwJK+8pm6pHazdIIPCAP +GCcp9fkS6gOu4twdC6oz34mJ3lqdmHKHz+0hhC2JqV1uwvPS5k/DcKfKR2+ifxQE +xCBocLObtQKBgGWLH17n3OGQiCXXqUB/Q6KNh9gZhh8ZJs9ol4grvje1HKbyIfnF +Zf7CcT2hGTqbQ4pWK5wref56F+7aGR515grTY/ymJaWdNWN6RKtfP0/8695rVeKk +wmIdarcRFf9aBzdc22GpBsM+HCSbwzBFWvDhvdrEZkGn/Hj89xntiEDLAoGAb1sR +r+kafkBv6I7iKCJBoVs9N1hya3uWr67fJSKm/IPj68ELBIHlcOEYSkiQn7yi0XLv +/ZM2zMAKATeAAAXTRUeY7w3rFz45J6E1A92j7JQU2KfbC5/aPv6WOxi1CfRvxqqk +fEFg0xb79+Yl0PcLJUN7FCvosqgfBqWm9fGlcvUCgYAYvALoZPz2z6zzqURDKPWk +lkrW8nQVFg0eeTJNBiU1ipXS28oEGQISdjlYCHD1Ds3W8JHav/i6QnCaAXb5PtHd +DlylI7U+tSZaC83+oPu/BaKVUO9n9e0mqj2oCD7W2gTBazac3d9F1ncfSkEhpDSB +i6+0+GL62SGnzAF52ajf0g== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIID4DCCAsigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBizEYMBYGCgmSJomT8ixk +AQEMCGRlYWRiZWVmMTkwNwYDVQQDDDBEZXZlbG9wZXIgSUQgQXBwbGljYXRpb246 +IEpvaG4gU2lnbmVyIChkZWFkYmVlZikxETAPBgNVBAsMCGRlYWRiZWVmMRQwEgYD +VQQKDAtKb2huIFNpZ25lcjELMAkGA1UEBhMCWFgwHhcNMjQwMTE3MDI0ODE2WhcN +MzcwOTI1MDI0ODE2WjCBizEYMBYGCgmSJomT8ixkAQEMCGRlYWRiZWVmMTkwNwYD +VQQDDDBEZXZlbG9wZXIgSUQgQXBwbGljYXRpb246IEpvaG4gU2lnbmVyIChkZWFk +YmVlZikxETAPBgNVBAsMCGRlYWRiZWVmMRQwEgYDVQQKDAtKb2huIFNpZ25lcjEL +MAkGA1UEBhMCWFgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxB3u9 +PkOjy9K7vaqeAQ7OUmBEtx01NjzUn4LEe5BTL0/bh02KxG+edlaVOmdeMF8nff89 +yrP6k3L+lA7p19uzACxjEYowytUyeLf1RCF9z+6rEeIAqW7+PEYH+yeiOrdSzd5D +Iaf/PGYkKxhHyp9OuAS8CDimfvXBRV7PmpKMj+ostOy0Tlj6po1+Nci+SepZRNP/ +YdFTi0Ydq9B/FztslFhvX/Ffc8rhmP8GQ8lPJqJOBcLss+aKAz9slFCzVahqmqXu +8rz1b3E/5JHv5RFFBxgvwuXWaiO1mLTn62tIWTiG5rmR0xqJ4VucXk9DvOEAt1Cx +OBVupXOd5IDt+qZ7AgMBAAGjTTBLMAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAww +CgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgeAMBMGCiqGSIb3Y2QGAQ0BAf8EAgUA +MA0GCSqGSIb3DQEBCwUAA4IBAQCGzLhwja5AWKrla/VNjhXdKFiendu1VnGBwFQr +WtMVSlXirqjG32WaayFJAjtp3MfXgLD6Yu2isB6I06LimuET4e2jR9nHcxtgZZ0B +iowzgoNi+OA9sUSuZyrgzHwO7+tRmMroaMSURrzwCsffFIiiL8thgvZFZvtCRKm8 +7pHzhvIGmjc5BYY8TB3BoWPZiqZAXY1cpw66gPVi2pQ6zitUtv1C3gzwLxQMDtnn +SWm4XWWeihFcL6KgHxPqgnJ9YsRGjDbJ5LcrYk+uinXxSgzhv2Jlq+KD0VxvM6xr +foxvH3jp8ISnTYjajhPQ8zekYE5iZN+GPtF0RjmtQ6RMlweR +-----END CERTIFICATE----- diff --git a/apple-codesign/tests/cmd/sign-for-notarization.trycmd b/apple-codesign/tests/cmd/sign-for-notarization.trycmd new file mode 100644 index 000000000..de0abab38 --- /dev/null +++ b/apple-codesign/tests/cmd/sign-for-notarization.trycmd @@ -0,0 +1,137 @@ +Sign a bundle containing multiple Mach-O binaries. + +``` +$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/MyApp +assuming default minimum version 11.0.0 +writing Mach-O to MyApp.app/Contents/MacOS/MyApp + +$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/bin +assuming default minimum version 11.0.0 +writing Mach-O to MyApp.app/Contents/MacOS/bin + +$ rcodesign debug-create-macho --file-type dylib MyApp.app/Contents/MacOS/lib.dylib +assuming default minimum version 11.0.0 +writing Mach-O to MyApp.app/Contents/MacOS/lib.dylib + +$ rcodesign debug-create-macho MyApp.app/Contents/Resources/non-nested-bin +assuming default minimum version 11.0.0 +writing Mach-O to MyApp.app/Contents/Resources/non-nested-bin + +$ rcodesign debug-create-info-plist --bundle-name MyApp MyApp.app/Contents/Info.plist +writing MyApp.app/Contents/Info.plist + +$ rcodesign sign --for-notarization MyApp.app MyApp.app.signed +? 1 +--for-notarization requires use of a Developer ID signing certificate; no signing certificate was provided +Error: signing settings are not compatible with notarization + +$ rcodesign sign --for-notarization --pem-source src/testdata/self-signed-rsa-apple-development.pem MyApp.app MyApp.app.signed +? 1 +reading PEM data from src/testdata/self-signed-rsa-apple-development.pem +registering signing key +using time-stamp protocol server http://timestamp.apple.com/ts01 +--for-notarization requires use of an Apple-issued signing certificate; current certificate is not signed by Apple +hint: use a signing certificate issued by Apple that is signed by an Apple certificate authority +--for-notarization requires use of a Developer ID signing certificate; current certificate doesn't appear to be such a certificate +hint: use a `Developer ID Application`, `Developer ID Installer`, or `Developer ID Kernel` certificate +Error: signing settings are not compatible with notarization + +$ rcodesign sign --for-notarization --pem-source src/testdata/self-signed-rsa-developer-id-application.pem MyApp.app MyApp.app.signed +? 1 +reading PEM data from src/testdata/self-signed-rsa-developer-id-application.pem +registering signing key +using time-stamp protocol server http://timestamp.apple.com/ts01 +--for-notarization requires use of an Apple-issued signing certificate; current certificate is not signed by Apple +hint: use a signing certificate issued by Apple that is signed by an Apple certificate authority +Error: signing settings are not compatible with notarization + +$ rcodesign sign --for-notarization --pem-source src/testdata/self-signed-rsa-developer-id-application.pem --timestamp-url none MyApp.app MyApp.app.signed +? 1 +reading PEM data from src/testdata/self-signed-rsa-developer-id-application.pem +registering signing key +--for-notarization requires use of an Apple-issued signing certificate; current certificate is not signed by Apple +hint: use a signing certificate issued by Apple that is signed by an Apple certificate authority +--for-notarization requires use of a time-stamp protocol server; none configured +Error: signing settings are not compatible with notarization + +$ rcodesign sign -v --for-notarization --signing-time 2024-01-01T00:00:00Z --pem-source src/testdata/self-signed-rsa-developer-id-application2.pem MyApp.app MyApp.app.signed +reading PEM data from src/testdata/self-signed-rsa-developer-id-application2.pem +adding private key from src/testdata/self-signed-rsa-developer-id-application2.pem +adding certificate from src/testdata/self-signed-rsa-developer-id-application2.pem +registering signing key +using time-stamp protocol server http://timestamp.apple.com/ts01 +signing MyApp.app to MyApp.app.signed +signing bundle at MyApp.app +signing bundle at MyApp.app into MyApp.app.signed +collecting code resources files +copying file MyApp.app/Contents/Info.plist -> MyApp.app.signed/Contents/Info.plist +sealing nested Mach-O binary: Contents/MacOS/bin +signing Mach-O file Contents/MacOS/bin +setting binary identifier based on path: bin +inferring default signing settings from Mach-O binary +signing Mach-O binary at index 0 +deriving code requirements from signing certificate +deriving code requirements from signing certificate +binary targets macOS >= 11.0.0 with SDK 11.0.0 +adding hardened runtime flag because notarization mode enabled +adding code signature flags from signing settings: CodeSignatureFlags(RUNTIME) +using hardened runtime version 11.0.0 derived from SDK version +code directory version: 132352 +creating cryptographic signature with certificate Developer ID Application: John Signer (deadbeef) +Using time-stamp server http://timestamp.apple.com/ts01 +Using signing time 2024-01-01T00:00:00+00:00 +total signature size: [..] bytes +writing Mach-O to MyApp.app.signed/Contents/MacOS/bin +sealing nested Mach-O binary: Contents/MacOS/lib.dylib +signing Mach-O file Contents/MacOS/lib.dylib +setting binary identifier based on path: lib +inferring default signing settings from Mach-O binary +signing Mach-O binary at index 0 +deriving code requirements from signing certificate +deriving code requirements from signing certificate +binary targets macOS >= 11.0.0 with SDK 11.0.0 +adding hardened runtime flag because notarization mode enabled +adding code signature flags from signing settings: CodeSignatureFlags(RUNTIME) +using hardened runtime version 11.0.0 derived from SDK version +code directory version: 132352 +creating cryptographic signature with certificate Developer ID Application: John Signer (deadbeef) +Using time-stamp server http://timestamp.apple.com/ts01 +Using signing time 2024-01-01T00:00:00+00:00 +total signature size: [..] bytes +writing Mach-O to MyApp.app.signed/Contents/MacOS/lib.dylib +non-nested file is a Mach-O binary; signing accordingly Contents/Resources/non-nested-bin +signing Mach-O file Contents/Resources/non-nested-bin +setting binary identifier based on path: non-nested-bin +inferring default signing settings from Mach-O binary +signing Mach-O binary at index 0 +deriving code requirements from signing certificate +deriving code requirements from signing certificate +binary targets macOS >= 11.0.0 with SDK 11.0.0 +adding hardened runtime flag because notarization mode enabled +adding code signature flags from signing settings: CodeSignatureFlags(RUNTIME) +using hardened runtime version 11.0.0 derived from SDK version +code directory version: 132352 +creating cryptographic signature with certificate Developer ID Application: John Signer (deadbeef) +Using time-stamp server http://timestamp.apple.com/ts01 +Using signing time 2024-01-01T00:00:00+00:00 +total signature size: [..] bytes +writing Mach-O to MyApp.app.signed/Contents/Resources/non-nested-bin +writing sealed resources to MyApp.app.signed/Contents/_CodeSignature/CodeResources +signing main executable Contents/MacOS/MyApp +setting main executable binary identifier to com.example.mybundle (derived from CFBundleIdentifier in Info.plist) +inferring default signing settings from Mach-O binary +signing Mach-O binary at index 0 +deriving code requirements from signing certificate +deriving code requirements from signing certificate +binary targets macOS >= 11.0.0 with SDK 11.0.0 +adding hardened runtime flag because notarization mode enabled +adding code signature flags from signing settings: CodeSignatureFlags(RUNTIME) +using hardened runtime version 11.0.0 derived from SDK version +code directory version: 132352 +creating cryptographic signature with certificate Developer ID Application: John Signer (deadbeef) +Using time-stamp server http://timestamp.apple.com/ts01 +Using signing time 2024-01-01T00:00:00+00:00 +total signature size: [..] bytes +writing signed main executable to MyApp.app.signed/Contents/MacOS/MyApp + +``` diff --git a/apple-codesign/tests/cmd/sign.trycmd b/apple-codesign/tests/cmd/sign.trycmd index 8965467a0..ec22fd6ff 100644 --- a/apple-codesign/tests/cmd/sign.trycmd +++ b/apple-codesign/tests/cmd/sign.trycmd @@ -346,6 +346,19 @@ Options: Activating shallow signing mode can result in signing failures if the skipped nested entities aren't signed. For example, when signing an application bundle containing an unsigned nested bundle/framework, signing will fail with an error about a missing code signature. Always be sure to sign nested entities before their parents when this mode is activated. + --for-notarization + Indicate that the entity being signed will later be notarized. + + Notarized software is subject to specific requirements, such as enabling the hardened runtime. + + The presence of this flag influences signing settings and engages additional checks to help ensure that signed software can be successfully notarized. + + This flag is best effort. Notarization failures of software signed with this flag may be indicative of bugs in this software. + + The behavior of this flag is subject to change. As currently implemented, it will: + + * Require the use of a "Developer ID" signing certificate issued by Apple. * Require the use of a time-stamp server. * Enable the hardened runtime code signature flag on all Mach-O binaries (equivalent to `--code-signature-flags runtime` for all signed paths). + --smartcard-slot Smartcard slot number of signing certificate to use (9c is common)