RE: New Notarization Issues

Timothy Penner via 4D_Tech Tue, 11 Feb 2020 11:58:28 -0800

Hi James,

Regarding this:
> However, after building I remove the “Contents/Native 
> Components/WebViewerCEF.bundle”, which is an apparently unused 275MB package, 
> so if I wanted to use the built-in signing, I’d have to accept the extra 
> 275MB on my app size.


True, if you modify the application package AFTER signing then the signature 
becomes invalid.

However, you could modify the source package PRIOR to running the build 
application command, by removing the “Contents/Native 
Components/WebViewerCEF.bundle"  file from the 4D Volume Desktop.app and 4D 
Server.app packages...  In this way, when the BUILD APPLICATION command merges 
the applications together the WebViewerCEF.bundle is already removed before the 
built-in signing operation takes place.

-Tim






-----Original Message-----
From: 4D_Tech <4d_tech-boun...@lists.4d.com> On Behalf Of James Crate via 
4D_Tech
Sent: Tuesday, February 11, 2020 11:44 AM
To: 4D iNug Technical <4d_tech@lists.4d.com>
Cc: James Crate <j...@quevivadev.com>
Subject: Re: New Notarization Issues

On Feb 11, 2020, at 10:58 AM, James Crate via 4D_Tech <4d_tech@lists.4d.com> 
wrote:
>
> With 4D v17.3 HF3, I have errors like this:
>
>    {
>      "severity": "error",
>      "code": null,
>      "path": "Travel-1.0.7.app.zip/Travel.app/Contents/MacOS/Travel",
>      "message": "The executable does not have the hardened runtime enabled.",
>      "docUrl": null,
>      "architecture": "x86_64"
>    },

So the built-in signing (I had to manually edit the BuildApp.xml file) does 
sign the other items, and uses the signing option to turn on hardened runtime.

However, after building I remove the “Contents/Native 
Components/WebViewerCEF.bundle”, which is an apparently unused 275MB package, 
so if I wanted to use the built-in signing, I’d have to accept the extra 275MB 
on my app size.

However, for those that use a script to sign and want to keep doing so for 
workflow reasons, you can sign the individual components and then the base app, 
including turning on hardened runtime and adding the necessary entitlements. 
What used to be a single line to codesign the app now looks like this:

  # set up $IFS for find to handle spaces
  OIFS="$IFS"
  IFS=$'\n'

  # sign items in directories codesign --deep doesn't handle
  entPath="./sign_plugins.entitlements"
  extraDirs=("Plugins" "SASL Plugins" "Native Components")
  for extraDir in ${extraDirs[@]}; do
    for item in $(find "${appPath}/Contents/${extraDir}" \( -iname "*.bundle" 
-o -iname "*.plugin" \)); do
      echo "signing \"${item}\""
      codesign --force --deep --verbose --options=runtime --entitlements 
${entPath} --sign "$devID" "${item}"
    done
  done
  IFS="$OIFS" # restore $IFS

  # php and the Updater app
  codesign --force --deep --verbose --options=runtime --entitlements ${entPath} 
--sign "$devID" "${appPath}/Contents/Resources/php/Mac/php-fcgi-4d"
  codesign --force --deep --verbose --options=runtime --entitlements ${entPath} 
--sign "$devID" "${appPath}/Contents/Resources/Updater/Updater.app"

  # and the base app
  entPath="./sign_Travel.entitlements"
  codesign --force --deep --verbose --options=runtime --entitlements ${entPath} 
--sign "$devID" "${appPath}”

A sample entitlements file with all entitlements enabled, like 4D uses:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.debugger</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.personal-information.addressbook</key>
<true/>
<key>com.apple.security.personal-information.calendars</key>
<true/>
<key>com.apple.security.personal-information.location</key>
<true/>
<key>com.apple.security.personal-information.photos-library</key>
<true/>
</dict>
</plist>

My plugins.entitlements just removes the personal info and device keys. It’s 
probably ok to use the same entitlements file for everything though.

Jim Crate


**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**********************************************************************
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**********************************************************************

RE: New Notarization Issues

Reply via email to