-
-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Notarization of Electron app fails due to hardened runtime disabled #118
Comments
That team ID warning was fixed in 0.26.0, which was released a few hours ago. That version also had a bug fix for Can you run You'll either need to:
If this all previously worked before, this regression is likely fallout from an intended change in behavior in 0.25 (https://github.com/indygreg/apple-platform-rs/releases/tag/apple-codesign%2F0.25.1) where settings aren't recursively propagated to every nested binary any more. |
Yes, the team ID warning has been fixed in 0.26.0, thank you!
As you expected, grep with
Yes this should work, I will give it a try later. Thanks! |
@indygreg this issue wasn't present after the fix that made signing Electron applications working. If i test using commit 187aedd it is passing notarization after signing using rcodesign. (this commit was my first attempt for testing with signing each Mach-o file / Fwk before signing the whole app). |
This demonstrates that the feature works. (This is being actively discussed in #118.)
As I mentioned, the behavior of I think the reason why OP is having issues is that scoped paths are relative to the path of the entity being signed - not relative to the directory being executed from. In the failing example, the path used was Also, in this failing example, the flag is being specified for the bundle's main executable. There may be room to restore a way to opt into recursive propagation. e.g. I'll think about this additional scoping rule, as it could make things simpler for end-users. |
Solved by this:
Notes:
Now Apple is happy with the bundle. 🎉 Update: Although Apple accepts the submission, the app actually can no longer launch after signing.
Update 2: Running
But this is a bit slow and error-prone so we switch back to Apple's tools for now. |
Hi! We recently started using For security reasons we have separated machines building/packaging and signing the apps. We therefor use the recursive behavior of
As long as this does not work we can not notarize our apps (only sign). Unfortunately I have zero rust knowledge so I don't feel qualified to open a PR. If I could help in a different way let me know!
While the first suggestion feels more intuitive, the second seems to be more flexible as there would be no other way to get only
Looking forward to it! |
This change in behavior has broken our release pipeline as well, which was annoying to even figure out, so that was a fun two days of investigation. |
I'm sorry for the confusion, @kobaltcore. In my defense, the release notes for 0.25.1 did attempt to call out the breaking change in behavior. I do generally value backwards compatibility, as I've been on the receiving end of unwanted compatibility breaks too many times myself. In this case, the previous behavior resulted in unexpected behavior for many signing operations and we needed to correct that behavior before more damage was done. I'm still thinking about how to best solve this UX problem. If you have suggestions, I'd love to hear them. FWIW another idea I've had is to add a |
Yeah, this is on the In any case, I think as long as there can be the option of having some kind of Anyway, thanks for engaging on this and working with the community to come to a solution, much appreciated! |
Getting software to pass Apple's notarization requirements can be subtly difficult and often requires multiple failed notarization attempts before success. This commit introduces a `sign --for-notarization` flag that attempts to validate and engage signing settings to help ensure signed software passes notarization. The logic is best effort and I'm sure there are gaps. But for now, it seems better than nothing. Related to #118.
I recognize that the change in behavior made more complex signing modes more burdensome than they needed to be. In the past few days I've committed a few features to help reign back control.
Both features are documented as having a non-stable set of semantics, with the intent that the semantics converge towards more user-friendly behavior over time. I still want to add an easy way to recursively enable signing settings. I had a quick and dirty patch to attempt this and it broke tests in some unexpected ways. So I need to think about things some more. I'm leaving this issue open to track a longer term solution. |
As an update on this the |
I'm using
rcodesign
to sign and notarize an Electron app. The signing phase seems to succeed, and Apple's codesign tool can verify the result when issuingcodesign --verify --deep --strict
. However,rcodesign notary-submit
consistently produce errors stating "The executable does not have the hardened runtime enabled", which is strange as I do pass the--code-signature-flags runtime
flag. By inspecting the logs I findrcodesign sign
prints "signing without an Apple signed certificate but signing settings contain a team name" for all object files, and according to this comment, it is unexpected.System information
Logs
The text was updated successfully, but these errors were encountered: