Notarization Issues

Code Signing General
redhatrcm OP
Created Jan ’22
Replies 4
Boosts 0
Views 1k
Participants 3

Hello,

At my company we have signing our executables, zipping them, then notarizing the zips. We then take those and distribute them. Everything has been working fine until recently all of our executables have been failing gatekeeper checks for users when the binary is downloaded from the web. Replicating with scps or curling seem to cause no issue. But specifically, when the client is downloaded via the web it trips gatekeeper for them. A recent example is shown with notarization request: af8c0f3c-cbf1-4dbd-b792-ee8aa27c1b4a . Is there a gatekeeper setting that involves checking the source of the file? Can that be disabled? Thank you

Replies  4
Boosts  0
Views  1k
Participants  3
Systems Engineer OP
Apple
Jan ’22

But specifically, when the client is downloaded via the web it trips gatekeeper for them. A recent example is shown with notarization request: af8c0f3c-cbf1-4dbd-b792-ee8aa27c1b4a . Is there a gatekeeper setting that involves checking the source of the file? Can that be disabled?

It sounds like you're running into a quarantine issue and Gatekeeper is flagging your app to not run for an issue like a rouge path or a broken code signature somewhere in your app. That is why the app runs when downloaded via CURL because I'm not sure the quarantine is added in this case? To debug this fire up a VM, and download your app. This should kick off a fresh syspolicyd and Gatekeeper scan each time your app is run. Log out what syspolicyd and the Console.app are giving you:

% log stream --level debug --predicate 'process == "syspolicyd"'

You may find that because the quarantine flag is added to your files, and you have a bundle issue somewhere, the app cannot be executed. That is where I would start.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
redhatrcm OP
Jan ’22

Thanks, Matt for looking into this issue. I have attached the log, could you please check.

mac.log
0
Systems Engineer OP
Apple
Feb ’22

The code inside your installer looks to be invalid or have an invalid signature:

2022-01-28 00:39:50.593540-0800 0x50f2 Debug 0x0 1285 0 syspolicyd: (Security) [com.apple.securityd:unixio] open(/Users/mac-os/Downloads/openshift-install-mac-4/openshift-install,0x0,0x1b6) = 19 2022-01-28 00:39:50.593571-0800 0x50f2 Debug 0x0 1285 0 syspolicyd: (Security) [com.apple.securityd:unixio] 19 fcntl(48,0x1) = 0 2022-01-28 00:39:54.636835-0800 0x50f2 Debug 0x0 1285 0 syspolicyd: (Security) [com.apple.securityd:unixio] close(19) err: 0 2022-01-28 00:39:54.637597-0800 0x50f2 Default 0x0 1285 0 syspolicyd: (Security) [com.apple.securityd:security_exception] MacOS error: -67002 2022-01-28 00:39:54.638564-0800 0x50f2 Debug 0x0 1285 0 syspolicyd: (Security) [com.apple.securityd:security_exception] 0 Security 0x00007fff4595d0c5 Security::CommonError::LogBacktrace() + 107
... 0x00007fff45873791 Security::CodeSigning::PolicyEngine::evaluateCode(__CFURL const*, unsigned int, unsigned long long, __CFDictionary const*, __CFDictionary*, bool) + 809 2022-01-28 00:39:54.639074-0800 0x50f2 Debug 0x0 1285 0 syspolicyd: (Security) [com.apple.securityd:security_exception] 9 Security 0x00007fff45868133 invocation function for block in Security::CodeSigning::EvaluationTask::performEvaluation(unsigned long long, __CFDictionary const*) + 857

The error for -67002 equates to the app not being identified as a valid app.

At the end of the log your container is showing up as Notarized:

2022-01-28 00:39:54.662107-0800 0x50f2 Debug 0x0 1285 0 syspolicyd: (Security) [com.apple.securityd:notarization] checking notarization on 2, {length = 20, bytes = 0x903c95778ff35f124158d37e0e85f63f5e264396} 2022-01-28 00:39:54.662436-0800 0x50ff Debug 0x0 1285 0 syspolicyd: pid 1285 requested ticket-lookup 2022-01-28 00:39:54.662517-0800 0x50ff Info 0x0 1285 0 syspolicyd: looking up ticket: , 2, 0 2022-01-28 00:39:54.662791-0800 0x50f2 Debug 0x0 1285 0 syspolicyd: (Security) [com.apple.securityd:notarization] isNotarized = 1

I would checkout the formatting of your app inside the installer based on this article for Placing Content in a Bundle.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
DTS Engineer OP
Apple
Feb ’22

Might also be worth noting that these aren't being natively built in xcode, but rather cross compiled via golang's compiler on a linux machine

My experience is that Go binaries often have problems with code signing, primarily, because Go does not use the Apple linker [1].

We sign them and notarize (but can't staple because they aren't apps).

Understood. But you can and should staple the installer package.

My advice here is that you sign all your binaries, from the inside out, and then bundle them up into an installer package, sign that, notarise the installer package, and then finally staple that package. The resulting ticket will cover the installer package and all the binaries it contains. It will be ingested by the system at install time, so it’ll be available when the user goes to run one of your executables.

For more details on each step, see Signing a Mac Product For Distribution. For advice on how to test this stuff, see Testing a Notarised Product.

If you’re already doing things this way and still have problems, open a DTS tech support incident so that Matt or I can take a more in-depth look at your binaries.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] By default. I believe it has options to allow this, but I’m hardly a Go expert.

0
Notarization Issues
First post date Last post date
 
 
Q