I have an Executable which is a binary created using a tool called Nuitka, which is similiar to PyInstaller. I creates a self-contain package of all items needs to run the python contained inside. When I build the package and then codesign it, I need to add the --no-strict parameter. But no matter how I sign it, when it tries to execute after signing it tells me it is no longer in the proper format. I tried only signing the .PKG which does work but with the standard security warning since it is not notorized. Eskimo if you out there I really need some help here... this is a simple terminal app, nothing special.
Code Signing Issues
Eskimo if you out there I really need some help here...
Quinn will weigh in here I'm sure, but since I'm around I will kick this thread off.
Regarding:
But no matter how I sign it, when it tries to execute after signing it tells me it is no longer in the proper format.
If you build and sign this app locally to run on your machine, I'm sure it runs correctly, is that right?
Regarding:
I tried only signing the .PKG which does work but with the standard security warning since it is not notorized
What happens if you Developer ID sign the app and Notarize the outer PKG container and distribute the app? If this does not work, what does the Console.app give you as far as error messages when you try and run this app? You might see syspolicyd giving you some errors?
You could even record them via another Terminal window before your try and run the app:
% log stream --level debug --predicate 'process == "syspolicyd"'
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
As soon as I sign the app it no longer runs. It is apparently a Mac Archive Binary. When executed it uncompresses itself and executes whats within.
I am also trying this with a standard app bundle without using a Mac Archive Binary having the executables in the MacOs folder and all supporting file sin the Resources folder. When I sign the files in MacOs it is fine and the package signs fine but when I submit to Notarization it still complains about every file in the Resources folder. So I am unsure what the heck to do here.
Signing the original App (Mac Archive Executable) it causes it to no longer run, it does sign the file though. I did not submit for notarization because even if it validated it would be useless to me
Very confusing for a newbie.. I feel like I have no idea what I am doing.
Also apparently all of those files I moved to /Resources need to be in the same place because the tool still fails to run now.
I tested I app signed the executable and installer signed the PKG and it accepted it. But when I run the code now I get this...
/Users/{me}/Documents/repos/akamai_siteshield/build-src/mac-package-root/Applications/SiteShieldIPManager.app/Contents/MacOs/SiteShieldIPManager_bin.bin ; exit;
steve.groner@LKBBmacK1LEJGH8 ~ % /Users/steve.groner/Documents/repos/akamai_siteshield/build-src/mac-package-root/Applications/SiteShieldIPManager.app/Contents/MacOs/SiteShieldIPManager_bin.bin ; exit;
Error, couldn't decode attached data.: Undefined error: 0
zsh: abort
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.
Here is the output from the item you asked me to collect.
As soon as I sign the app it no longer runs. It is apparently a Mac Archive Binary. When executed it uncompresses itself and executes whats within.
Right, if you're building from Xcode and creating an Archive, you'll then need to Distribute the archive by using the "Built Products" option to create a signed binary that is exported to disk somewhere.
If you're building the executable directly from the command line then you can Developer ID sign, package and Notarize from there.
Regarding:
I am also trying this with a standard app bundle without using a Mac Archive Binary having the executables in the MacOs folder and all supporting file sin the Resources folder. When I sign the files in MacOs it is fine and the package signs fine but when I submit to Notarization it still complains about every file in the Resources folder. So I am unsure what the heck to do here. Also apparently all of those files I moved to /Resources need to be in the same place because the tool still fails to run now.
This might be because you're signing code or libraries and adding them to the /Resources folder. That is not a place for signed code. Quinn wrote an excellent document that explains where signed code should live inside the macOS bundle. Also, checkout this document as it has a lot of great resources for debugging non-standard bundles.
Now, arranging a bundle like this might put you in a position where you need to sign your bundle in a specific way, without the --deep flag and sign the code piece by piece. For more information on how to do that, Quinn also wrote an excellent post on that here.
Regarding:
But when I run the code now I get this... root/Applications/SiteShieldIPManager.app/Contents/MacOs/SiteShieldIPManager_bin.bin ; exit; Error, couldn't decode attached data.: Undefined error: 0 zsh: abort
What is SiteShieldIPManager_bin.bin, is this a Mach-O executable? If not, it should be. You can test it with the % file tool.
As far as your log, I can see it looking up your Notary ticket, but I did not see your bundle being scanned. You may need to scan the general Console.app log for further errors if you still experience issues after refactoring your bundle.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Sorry Matt, I am not using xcode for anything and I am lost. A lot of what you said I have no idea what you mean. I use a Python compiler tool. When I use a onefile option it makes the executable a MacBinary Archive, which I then slip into a skeleton .app bundle. When I tell it to make a standalone/app bundle it creates all of the app bundle and places Mac Executable in the MacOs folder along with a bunch of .so_ and .dylib files. All of these files when I tried to sign them, still showed as unsigned in Notarization. That is when I moved them to Resources, thinking they would nto need to be signed if they lived there. Then the tool broke but because it could not find those files.
When I use the MacBinary Archive and sign it, it breaks the archive it cannot execuate after I sign it. It cannot use the file after, even though notarization accepts the package with the broken (but signed) MacBinary Archive but, the tool will not run when installed.
I am going to need a little more hand holding with step by step instructions as I can get around and do what I need to, but I am not a professional mac developer. I am doing this tool out of necessity and do not want our internal folks to be faced with the warning everytime we update the tool.
I am happy to provide you with whatever you need to see, but I am really at a loss to figure out how to do this. I would love to use xcode for packaging, but I have no idea how to do that for .app containing a MacBinary archive created outside of xcode. I have almost never used xcode as I am not a swift or objective c programmer, I am a script guy and write in python and just wanted to compile this into an executable to distribute with the proper security enhancements done.
No problem at all. I think the next best move then would be to open up a TSI so that either myself or Quinn can dedicate some time into looking at what is going on here with your actual bundle and provide a recommendation from there.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Done. Thank you!
Case Number: 101610725468
That's not a TSI number. I am not sure where that number belongs. You'll want to go to the link above that I post to open a TSI: https://developer.apple.com/support/technical/
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
That is where I went. Then it sent me to code-level-support under my account and it should I had (2) expiring in October of 22, I click on Request Technical Support and it gave me a form to fill out.
So I was able to get the app signed. It turns out I only need to sign the .app (with entitlements for Network and Unsigned Memory) and then sign the package with Installer Developer ID creds. However, when I run the package the installer pops up a window with ...
“Installer” would like to access files in your Documents folder. which presents either Allow or Not Allow. Either option results in the app not being copied to the /Applications folder. I have nothing that I am putting in the Documents folder so it must be something coming from the installer itself.
I have noticed that if I remove the Info.plist file from the App/Contents folder it will pass notarization and stapling. Then when I install and it works fine. So could there be something wrong with the Info.plist? I opened it in Xcode and saved it again just in case there was something not visible in it causing it to fail. Any thoughts on this?
Nevermind. I thought I had beat it but I cleared everything out and tried again and it will not sign only the app. Not sure what the heck is going on. It wants me to sign a bunch of things inside the app. I swear this worked at one point, but I may be overlapping changes and losing track of what I have done.