search

FreeCAD / FreeCAD-Bundle

Stand-alone repo to Build and Deploy installable FreeCAD images
https://freecad.org
GNU Lesser General Public License v2.1
224 stars 58 forks source link

macOS: fix rpaths in macOS CI builds #203

Closed martinsp closed 7 months ago

martinsp commented 7 months ago

Changes on top of ccef8eb4083ae038aa86ea1001de7ee136da1350 fixes signatures for libraries modified by install_name_tool

Additional changes according to findings in https://github.com/FreeCAD/FreeCAD/issues/10144#issuecomment-1847657394

I ran the create_bundle.sh to build new FreeCAD.app bundle. The bundle does not contain rpaths with absolute paths and the app does not crash when launched.

cc: @adrianinsaval

adrianinsaval commented 7 months ago

do we need a dev certificate for this?

martinsp commented 7 months ago

do we need a dev certificate for this?

No. Xcode does this automatically when FreeCAD is built. With the added codesign command we fix the (adhoc) signature that was already applied by XCode on the initial build and we invalidated that when modified the dylibs with install_name_tool

https://developer.apple.com/documentation/security/seccodesignatureflags/1397793-adhoc

adrianinsaval commented 7 months ago

ok let's merge and try it, @JohnOCFII could you test the new build that will be available in a few minutes?

@chennes can you test signing the new weekly? and maybe uploaded it somewhere so martinsp can test it too

JohnOCFII commented 7 months ago

ok let's merge and try it, @JohnOCFII could you test the new build that will be available in a few minutes?

Loads and runs fine on my M1/arm Mac. It is not signed, though. Wasn't sure if that was a goal with this "weekly" or not.

OS: macOS 14.1.2
Word size of FreeCAD: 64-bit
Version: 0.22.0dev.35370 (Git)
Build type: Release
Branch: main
Hash: 1066bb54ceec8f4f8376b5149253acda5677651d
Python 3.10.13, Qt 5.15.8, Coin 4.0.2, Vtk 9.2.6, OCC 7.6.3
Locale: C/Default (C)
chennes commented 7 months ago

I was able to successfully sign this bundle as long as I did not try to enable the entitlements.

ETA: Here's a link to the DMG on my OneDrive...

JohnOCFII commented 7 months ago

I was able to successfully sign this bundle as long as I did not try to enable the entitlements.

I was able to open the version from your OneDrive and it was signed.

adrianinsaval commented 7 months ago

I was able to successfully sign this bundle as long as I did not try to enable the entitlements.

ETA: Here's a link to the DMG on my OneDrive...

does the old image with the rpaths not work even without entitlements or are we in the same situation as before?

martinsp commented 7 months ago

I was able to successfully sign this bundle as long as I did not try to enable the entitlements.

did the signing step fail or you were not able to launch applications when entitlements were enabled? If it's failed to launch can you share that bundle? I could try look to find out if there is any other issue that macOS is not happy about when entitlements are enabled.

chennes commented 7 months ago

Signing appears to work fine, but the launch gives the unidentified developer warning. Here it is with the entitlements.

chennes commented 7 months ago

does the old image with the rpaths not work even without entitlements or are we in the same situation as before?

My guess is that the entitlements are the problem, and that signing without them will work.

martinsp commented 7 months ago

Yes, the entitlements are the problem, because com.apple.security.cs.disable-library-validation entitlement forces macOS to perform additional checks when launching application.

Thank you for providing the signed build. The next problem I found via Console.app, the macOS complains about is:

File /Applications/FreeCAD.app/Contents/Resources/lib//libncurses.6.dylib failed on loadCmd /private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfo.6.dylib (loadCmd resolved to: (path not found), bundleURL: /Applications/FreeCAD.app)

By scanning FreeCAD.app with otool I found that /Applications/FreeCAD.app/Contents/Resources/lib/libncurses.6.dylib and /Applications/FreeCAD.app/Contents/Resources/lib/libncursesw.6.dylib have LC_REEXPORT_DYLIB pointing to non-existing files on user macs.

Now we need to figure out how to eliminate those from the dylibs. Maybe @adrianinsaval have some ideas?

Edit:

Maybe this line has something to do with the issue, but I don't know how to work with conda: https://github.com/conda-forge/ncurses-feedstock/blob/19916cb49c7cf19f3a17a2bfcec4daef4f720a29/recipe/build.sh#L47

adrianinsaval commented 7 months ago

Is there someway we can patch the library directly? If not I can try forking that feedstock and uploading a package without that to the freecad conda repo

adrianinsaval commented 7 months ago

I think we need something like

install_name_tool -change /private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfo.6.dylib @loader_path/libtinfo.6.dylib libncurses.6.dylib
install_name_tool -change /private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfow.6.dylib @loader_path/libtinfow.6.dylib libncursesw.6.dylib
martinsp commented 7 months ago

Yes, I think the install_name_tool -change ... could work. I just noticed that other dylibs in the app bundle use @rpath/... instead of @loader_path/.... But maybe the @loader_path also works.

martinsp commented 7 months ago

@adrianinsaval according to my tests updating LC_REEXPORT_DYLIB with install_name_tool -change ... is the last step required to make macOS happy and allow FreeCAD signed with entitlements to run.

I took the weekly build FreeCAD_weekly-builds-35370-2023-12-14-conda-macOS-arm64-py310.dmg and made the following changes to the app bundle

install_name_tool -change "/private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfo.6.dylib" "@rpath/libtinfo.6.dylib" FreeCAD.app/Contents/Resources/lib/libncurses.6.dylib
codesign --force --sign - FreeCAD.app/Contents/Resources/lib/libncurses.6.dylib

install_name_tool -change "/private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/conda/osx/APP/FreeCAD.app/Contents/Resources/lib/libtinfow.6.dylib" "@rpath/libtinfow.6.dylib" FreeCAD.app/Contents/Resources/lib/libncursesw.6.dylib
codesign --force --sign - FreeCAD.app/Contents/Resources/lib/libncursesw.6.dylib

I then signed & notarized build with https://github.com/FreeCAD/FreeCAD/blob/main/src/Tools/macos_sign_and_notarize.sh script and the resulting FreeCAD.app is running on arm mac.

Here is the weekly build I signed & notarized: https://drive.google.com/file/d/1rPn6LGPbdKrGz0EXK8tHxVIDlbheG9sk/view?usp=sharing

adrianinsaval commented 7 months ago

Many thanks for your help! I'll see if I can script this on this weekend

JohnOCFII commented 7 months ago

Here is the weekly build I signed & notarized: https://drive.google.com/file/d/1rPn6LGPbdKrGz0EXK8tHxVIDlbheG9sk/view?usp=sharing

Not that you needed confirmation, but I downloaded and launched it successfully. It was signed.

martinsp commented 7 months ago

Many thanks for your help! I'll see if I can script this on this weekend

Thank you!

Not that you needed confirmation, but I downloaded and launched it successfully.

This is great! I have had occasions when something works only on my computer :)

adrianinsaval commented 6 months ago

https://github.com/FreeCAD/FreeCAD-Bundle/commit/39d698cfafc7fc9c545323c85240f9c88bf9e89d

and also pushed to 0.21.2 branch: b8d7211b2f3faa8cd9a1899ce64d00c168762b1b

@chennes please try signing with enttitlements again

chennes commented 6 months ago

It seems to work now -- can someone else confirm? FPA-signed DMG (with entitlements) here.

martinsp commented 6 months ago

It seems to work now -- can someone else confirm?

Can confirm, it's working on my mac.

JohnOCFII commented 6 months ago

It seems to work now -- can someone else confirm?

Yes, It works (and is signed) on my Mac.

chennes commented 6 months ago

OK, I will sign the x86 one tonight and then they should be ready for release, @adrianinsaval

chennes commented 6 months ago

Bah, there is something wrong with the x86 signing. This one is different, presumably I'm failing to sign some file in the bundle that should be signed. Does anyone see what it is? DMG here.

martinsp commented 6 months ago

My guess is that x86 is signed with wrong certificate. The output of the codesign -dvvvv --extract-certificates FreeCAD.app for x86 build reveals

...
Authority=Apple Distribution: The FreeCAD project association (289DJRF23X)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
...

This seems to be a certificate which should be used when signing app bundle for AppStore distribution.

For arm build the output is:

...
Authority=Developer ID Application: The FreeCAD project association (289DJRF23X)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
...
chennes commented 6 months ago

Good catch, thanks -- too many certificates!! Here is the signed-with-entitlements Intel DMG.

martinsp commented 6 months ago

The new signed x86 version works for me.

JohnOCFII commented 6 months ago

The latest weekly for macOS Arm was not signed. :( 

OS: macOS 14.2.1
Word size of FreeCAD: 64-bit
Version: 0.22.0dev.35554 (Git)
Build type: Release
Branch: main
Hash: 8e2ab9f76888ac4da971f9d5069cec7bcc2b572f
Python 3.10.13, Qt 5.15.8, Coin 4.0.2, Vtk 9.2.6, OCC 7.6.3
Locale: C/Default (C)
Installed mods: 
  * FeedsAndSpeeds 0.5.0
chennes commented 6 months ago

The weeklies are not signed.