[BUG] - macOS binaries can't be opened because of "X can’t be opened because it is from an unidentified developer" error

IntersectMBO / cardano-node

The core component that is used to participate in a Cardano decentralised blockchain.

https://cardano.org

Apache License 2.0

3.06k stars 723 forks source link

[BUG] - macOS binaries can't be opened because of "X can’t be opened because it is from an unidentified developer" error #3285

Open arielelkin opened 2 years ago

arielelkin commented 2 years ago

Internal/External External otherwise.

Area Other Any other topic (Delegation, Ranking, ...).

Summary Trying to open any of the macOS binaries results in this error message:

X can’t be opened because it is from an unidentified developer

System info (please complete the following information):

OS Name: macOS
OS Version 11.6

Additional context None of the macOS binaries work out of the box as they and their associated dylibs haven't been codesigned, which results in macOS's Gatekeeper preventing their execution and showing an error message

X can’t be opened because it is from an unidentified developer

Having to sudo, or right-click open, or changing Security settings on an ad-hoc basis for every single binary and dylib is not a viable solution. It's not aligned with platform standards, it's not user-friendly, and it's an unnecessary hurdle for novice programmers.

Also see https://github.com/input-output-hk/cardano-wallet/issues/2966

Jimbo4350 commented 1 year ago

Closing this. If this is still relevant please reopen.

arielelkin commented 1 year ago

@Jimbo4350 I think this issue is still relevant, but I don't have the ability to reopen. Could you please reopen?

Jimbo4350 commented 1 year ago

I've asked for input from @newhoggy

newhoggy commented 1 year ago

Reproduced on this download: https://hydra.iohk.io/build/17428186

Screen Shot 2022-10-31 at 2 35 40 pm

newhoggy commented 1 year ago

This is the current situation:

We only sign Mac binaries in Daedalus. Signing and notarization isn't part of the normal CI. That could potentially change with our new CI build system, but don't expect it anytime soon.

arielelkin commented 1 year ago

What's your rationale for not signing Mac binaries?

disassembler commented 1 year ago

Signing is easy, automation of notarization is a bear, and upstream apple keeps breaking our process (for Daedalus signing) that usually halts the release process for weeks waiting for legal sign off for new license agreements, or a forced upgrade to a new version of osx because Xcode needs upgraded, etc... Windows is just as much a pain being connected to an HSM that needs manually touched every few weeks. Because the automation around signing windows and Mac binaries is so complicated we only do it with Daedalus releases at the moment. If everyone would just adopt regular pgp signatures across all platforms my life would be a lot easier...

arielelkin commented 1 year ago

@disassembler if you have signing set up, notarization is just these two commands:

xcrun notarytool submit $PATH_TO_SIGNED_BINARY \
    --apple-id $IOG_APPLEID \
    --password $IOG_APPLEID_PASSWORD \
    --team-id $IOG_TEAMID \
    --progress \
    --wait

xcrun stapler staple $PATH_TO_SIGNED_BINARY

Have you tried adding that to your CI pipeline?