Hi James, Regarding this: > However, after building I remove the “Contents/Native > Components/WebViewerCEF.bundle”, which is an apparently unused 275MB package, > so if I wanted to use the built-in signing, I’d have to accept the extra > 275MB on my app size.
True, if you modify the application package AFTER signing then the signature becomes invalid. However, you could modify the source package PRIOR to running the build application command, by removing the “Contents/Native Components/WebViewerCEF.bundle" file from the 4D Volume Desktop.app and 4D Server.app packages... In this way, when the BUILD APPLICATION command merges the applications together the WebViewerCEF.bundle is already removed before the built-in signing operation takes place. -Tim -----Original Message----- From: 4D_Tech <4d_tech-boun...@lists.4d.com> On Behalf Of James Crate via 4D_Tech Sent: Tuesday, February 11, 2020 11:44 AM To: 4D iNug Technical <4d_tech@lists.4d.com> Cc: James Crate <j...@quevivadev.com> Subject: Re: New Notarization Issues On Feb 11, 2020, at 10:58 AM, James Crate via 4D_Tech <4d_tech@lists.4d.com> wrote: > > With 4D v17.3 HF3, I have errors like this: > > { > "severity": "error", > "code": null, > "path": "Travel-1.0.7.app.zip/Travel.app/Contents/MacOS/Travel", > "message": "The executable does not have the hardened runtime enabled.", > "docUrl": null, > "architecture": "x86_64" > }, So the built-in signing (I had to manually edit the BuildApp.xml file) does sign the other items, and uses the signing option to turn on hardened runtime. However, after building I remove the “Contents/Native Components/WebViewerCEF.bundle”, which is an apparently unused 275MB package, so if I wanted to use the built-in signing, I’d have to accept the extra 275MB on my app size. However, for those that use a script to sign and want to keep doing so for workflow reasons, you can sign the individual components and then the base app, including turning on hardened runtime and adding the necessary entitlements. What used to be a single line to codesign the app now looks like this: # set up $IFS for find to handle spaces OIFS="$IFS" IFS=$'\n' # sign items in directories codesign --deep doesn't handle entPath="./sign_plugins.entitlements" extraDirs=("Plugins" "SASL Plugins" "Native Components") for extraDir in ${extraDirs[@]}; do for item in $(find "${appPath}/Contents/${extraDir}" \( -iname "*.bundle" -o -iname "*.plugin" \)); do echo "signing \"${item}\"" codesign --force --deep --verbose --options=runtime --entitlements ${entPath} --sign "$devID" "${item}" done done IFS="$OIFS" # restore $IFS # php and the Updater app codesign --force --deep --verbose --options=runtime --entitlements ${entPath} --sign "$devID" "${appPath}/Contents/Resources/php/Mac/php-fcgi-4d" codesign --force --deep --verbose --options=runtime --entitlements ${entPath} --sign "$devID" "${appPath}/Contents/Resources/Updater/Updater.app" # and the base app entPath="./sign_Travel.entitlements" codesign --force --deep --verbose --options=runtime --entitlements ${entPath} --sign "$devID" "${appPath}” A sample entitlements file with all entitlements enabled, like 4D uses: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.automation.apple-events</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.debugger</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.device.audio-input</key> <true/> <key>com.apple.security.device.camera</key> <true/> <key>com.apple.security.personal-information.addressbook</key> <true/> <key>com.apple.security.personal-information.calendars</key> <true/> <key>com.apple.security.personal-information.location</key> <true/> <key>com.apple.security.personal-information.photos-library</key> <true/> </dict> </plist> My plugins.entitlements just removes the personal info and device keys. It’s probably ok to use the same entitlements file for everything though. Jim Crate ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com ********************************************************************** ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************