search

JuliaCI / julia-buildkite

Buildkite configuration files for Base Julia CI
8 stars 15 forks source link

macOS: Code signing should detect CSSMERR_TP_CERT errors #402

Closed maleadt closed 2 weeks ago

maleadt commented 2 weeks ago

When we need to accept a new agreement, this is flagged in the find-identity output as such:

julia@macmini-x64-5 ~ % security find-identity -p codesigning

Policy: Code Signing
  Matching identities
  1) XXX "Developer ID Application: Julia Computing LLC (YYY)" (CSSMERR_TP_CERT_EXPIRED)
     1 identities found

  Valid identities only
     0 valid identities found

We should probably detect the CSSMERR_TP_CERT_EXPIRED here (as well as CSSMERR_TP_NOT_TRUSTED) instead of hitting a more inscrutable error down the line:

Codesigning file dmg/Julia-1.12.app/Contents/MacOS/applet with identity ZZZ
dmg/Julia-1.12.app/Contents/MacOS/applet: replacing existing signature
created: /Users/julia/.julia/scratchspaces/a66863c6-20e8-4ff4-8a62-49f30b1f605e/agent-cache/default-honeycrisp-HL2F7YQ3XH.0/build/default-honeycrisp-HL2F7YQ3XH-0/julialang/julia-master/julia-4278ded290-macos-aarch64.dmg
Codesigning file julia-4278ded290-macos-aarch64.dmg with identity E7CEA0DEF3BD5B83E9C50D9318845219097F43A0
Conducting pre-submission checks for julia-4278ded290-macos-aarch64.dmg and initiating connection to the Apple notary service...
2024-11-07 23:55:29.094 notarytool[84055:352057] NetworkStorageDB:_openDBReadConnections: failed to open read connection to DB @ /Users/julia/Library/Caches/com.apple.gke.notary.tool/Cache.db.  Error=14. Cause=unable to open database file
2024-11-07 23:55:29.094 notarytool[84055:352057] The read-connection to the DB=/Users/julia/Library/Caches/com.apple.gke.notary.tool/Cache.db is NOT valid.  Unable to determine schema version.
2024-11-07 23:55:29.094 notarytool[84055:352057] NetworkStorageDB:_openDBWriteConnections: failed to open write connection to DB @ /Users/julia/Library/Caches/com.apple.gke.notary.tool/Cache.db.  Error=14. Cause=unable to open database file
2024-11-07 23:55:29.094 notarytool[84055:352057] DEBUG: there is no SQL cache DB located at /Users/julia/Library/Caches/com.apple.gke.notary.tool/Cache.db.
2024-11-07 23:55:29.094 notarytool[84055:352057] DEBUG: there is no SQL cache DB located at /Users/julia/Library/Caches/com.apple.gke.notary.tool/Cache.db-shm.
2024-11-07 23:55:29.094 notarytool[84055:352057] DEBUG: there is no SQL cache DB located at /Users/julia/Library/Caches/com.apple.gke.notary.tool/Cache.db-wal.
2024-11-07 23:55:29.430 notarytool[84055:352065] writeDBwithCachedResponse-ERROR: (_dbWriteConnection=0x13b608410) insert SQL stmnt. is nil for storage: /Users/julia/Library/Caches/com.apple.gke.notary.tool
Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
maleadt commented 2 weeks ago

Actually, CSSMERR_TP_CERT_EXPIRED is also used for actual expired certificates, so the HTTP status code provides more information.