Closed martinsp closed 7 months ago
do we need a dev certificate for this?
do we need a dev certificate for this?
No. Xcode does this automatically when FreeCAD is built. With the added codesign
command we fix the (adhoc) signature that was already applied by XCode on the initial build and we invalidated that when modified the dylibs with install_name_tool
https://developer.apple.com/documentation/security/seccodesignatureflags/1397793-adhoc
ok let's merge and try it, @JohnOCFII could you test the new build that will be available in a few minutes?
@chennes can you test signing the new weekly? and maybe uploaded it somewhere so martinsp can test it too
ok let's merge and try it, @JohnOCFII could you test the new build that will be available in a few minutes?
Loads and runs fine on my M1/arm Mac. It is not signed, though. Wasn't sure if that was a goal with this "weekly" or not.
OS: macOS 14.1.2
Word size of FreeCAD: 64-bit
Version: 0.22.0dev.35370 (Git)
Build type: Release
Branch: main
Hash: 1066bb54ceec8f4f8376b5149253acda5677651d
Python 3.10.13, Qt 5.15.8, Coin 4.0.2, Vtk 9.2.6, OCC 7.6.3
Locale: C/Default (C)
I was able to successfully sign this bundle as long as I did not try to enable the entitlements.
I was able to successfully sign this bundle as long as I did not try to enable the entitlements.
I was able to open the version from your OneDrive and it was signed.
I was able to successfully sign this bundle as long as I did not try to enable the entitlements.
does the old image with the rpaths not work even without entitlements or are we in the same situation as before?
I was able to successfully sign this bundle as long as I did not try to enable the entitlements.
did the signing step fail or you were not able to launch applications when entitlements were enabled? If it's failed to launch can you share that bundle? I could try look to find out if there is any other issue that macOS is not happy about when entitlements are enabled.
Signing appears to work fine, but the launch gives the unidentified developer warning. Here it is with the entitlements.
does the old image with the rpaths not work even without entitlements or are we in the same situation as before?
My guess is that the entitlements are the problem, and that signing without them will work.
Yes, the entitlements are the problem, because com.apple.security.cs.disable-library-validation
entitlement forces macOS to perform additional checks when launching application.
Thank you for providing the signed build. The next problem I found via Console.app
, the macOS complains about is:
File /Applications/FreeCAD.app/Contents/Resources/lib//libncurses.6.dylib failed on loadCmd /private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfo.6.dylib (loadCmd resolved to: (path not found), bundleURL: /Applications/FreeCAD.app)
By scanning FreeCAD.app with otool
I found that /Applications/FreeCAD.app/Contents/Resources/lib/libncurses.6.dylib
and /Applications/FreeCAD.app/Contents/Resources/lib/libncursesw.6.dylib
have LC_REEXPORT_DYLIB
pointing to non-existing files on user macs.
Now we need to figure out how to eliminate those from the dylibs. Maybe @adrianinsaval have some ideas?
Edit:
Maybe this line has something to do with the issue, but I don't know how to work with conda: https://github.com/conda-forge/ncurses-feedstock/blob/19916cb49c7cf19f3a17a2bfcec4daef4f720a29/recipe/build.sh#L47
Is there someway we can patch the library directly? If not I can try forking that feedstock and uploading a package without that to the freecad conda repo
I think we need something like
install_name_tool -change /private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfo.6.dylib @loader_path/libtinfo.6.dylib libncurses.6.dylib
install_name_tool -change /private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfow.6.dylib @loader_path/libtinfow.6.dylib libncursesw.6.dylib
Yes, I think the install_name_tool -change ...
could work. I just noticed that other dylibs in the app bundle use @rpath/...
instead of @loader_path/...
. But maybe the @loader_path
also works.
@adrianinsaval according to my tests updating LC_REEXPORT_DYLIB
with install_name_tool -change ...
is the last step required to make macOS happy and allow FreeCAD signed with entitlements to run.
I took the weekly build FreeCAD_weekly-builds-35370-2023-12-14-conda-macOS-arm64-py310.dmg
and made the following changes to the app bundle
install_name_tool -change "/private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfo.6.dylib" "@rpath/libtinfo.6.dylib" FreeCAD.app/Contents/Resources/lib/libncurses.6.dylib
codesign --force --sign - FreeCAD.app/Contents/Resources/lib/libncurses.6.dylib
install_name_tool -change "/private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfow.6.dylib" "@rpath/libtinfow.6.dylib" FreeCAD.app/Contents/Resources/lib/libncursesw.6.dylib
codesign --force --sign - FreeCAD.app/Contents/Resources/lib/libncursesw.6.dylib
I then signed & notarized build with https://github.com/FreeCAD/FreeCAD/blob/main/src/Tools/macos_sign_and_notarize.sh script and the resulting FreeCAD.app is running on arm mac.
Here is the weekly build I signed & notarized: https://drive.google.com/file/d/1rPn6LGPbdKrGz0EXK8tHxVIDlbheG9sk/view?usp=sharing
Many thanks for your help! I'll see if I can script this on this weekend
Here is the weekly build I signed & notarized: https://drive.google.com/file/d/1rPn6LGPbdKrGz0EXK8tHxVIDlbheG9sk/view?usp=sharing
Not that you needed confirmation, but I downloaded and launched it successfully. It was signed.
Many thanks for your help! I'll see if I can script this on this weekend
Thank you!
Not that you needed confirmation, but I downloaded and launched it successfully.
This is great! I have had occasions when something works only on my computer :)
https://github.com/FreeCAD/FreeCAD-Bundle/commit/39d698cfafc7fc9c545323c85240f9c88bf9e89d
and also pushed to 0.21.2 branch: b8d7211b2f3faa8cd9a1899ce64d00c168762b1b
@chennes please try signing with enttitlements again
It seems to work now -- can someone else confirm? FPA-signed DMG (with entitlements) here.
It seems to work now -- can someone else confirm?
Can confirm, it's working on my mac.
It seems to work now -- can someone else confirm?
Yes, It works (and is signed) on my Mac.
OK, I will sign the x86 one tonight and then they should be ready for release, @adrianinsaval
Bah, there is something wrong with the x86 signing. This one is different, presumably I'm failing to sign some file in the bundle that should be signed. Does anyone see what it is? DMG here.
My guess is that x86 is signed with wrong certificate. The output of the codesign -dvvvv --extract-certificates FreeCAD.app
for x86 build reveals
...
Authority=Apple Distribution: The FreeCAD project association (289DJRF23X)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
...
This seems to be a certificate which should be used when signing app bundle for AppStore distribution.
For arm build the output is:
...
Authority=Developer ID Application: The FreeCAD project association (289DJRF23X)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
...
Good catch, thanks -- too many certificates!! Here is the signed-with-entitlements Intel DMG.
The new signed x86 version works for me.
The latest weekly for macOS Arm was not signed. :(
OS: macOS 14.2.1
Word size of FreeCAD: 64-bit
Version: 0.22.0dev.35554 (Git)
Build type: Release
Branch: main
Hash: 8e2ab9f76888ac4da971f9d5069cec7bcc2b572f
Python 3.10.13, Qt 5.15.8, Coin 4.0.2, Vtk 9.2.6, OCC 7.6.3
Locale: C/Default (C)
Installed mods:
* FeedsAndSpeeds 0.5.0
The weeklies are not signed.
Changes on top of ccef8eb4083ae038aa86ea1001de7ee136da1350 fixes signatures for libraries modified by
install_name_tool
Additional changes according to findings in https://github.com/FreeCAD/FreeCAD/issues/10144#issuecomment-1847657394
I ran the
create_bundle.sh
to build new FreeCAD.app bundle. The bundle does not contain rpaths with absolute paths and the app does not crash when launched.cc: @adrianinsaval