Mac signature no longer accepted

[k9ert]

Starting the signed binary like this:

(.env) ➜  specter-desktop git:(kn/mac_signing) ✗ ./pyinstaller/electron/dist/mac-arm64/Specter.app/Contents/MacOS/Specter
[1]    45152 killed     ./pyinstaller/electron/dist/mac-arm64/Specter.app/Contents/MacOS/Specter
(.env) ➜  specter-desktop git:(kn/mac_signing) ✗

So the executable will get killed immediately and you'll see something like this in the logs:

Disallowing solutions.specter.desktop because no eligible provisioning profiles found

It seems that we need a provisioning profile. However, Apple is not mentioning that at it's documentation. There, only signing and notarizing is mentioned.

validating signatures

Is the signature of that binary even valid? A prerequisite for notarizing is that you sign your software with your developer key.

The signature can be checked like this:

``` ➜ specter-desktop git:(kn/mac_signing) ✗ pkgutil --check-signature ./pyinstaller/electron/dist/mac-arm64/Specter.app Package "Specter": Status: signed by a certificate trusted by macOS Certificate Chain: 1. Developer ID Application: Kim Neunert (FWV59JHV83) Expires: 2026-09-11 11:59:39 +0000 SHA256 Fingerprint: 06 C7 63 8C 92 5B DD 60 79 8C B1 B0 30 8D B7 98 2C 99 8E F3 33 87 A0 BD 03 1B 35 C5 3D 53 3C 3D ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 ➜ specter-desktop git:(kn/mac_signing) ✗ ```

Validating notarisation status

Is the software properly notarised?

yes, i think so:

``` ➜ specter-desktop git:(kn/mac_signing) ✗ spctl --assess --verbose --type execute ./pyinstaller/electron/dist/mac-arm64/Specter.app ./pyinstaller/electron/dist/mac-arm64/Specter.app: accepted source=Notarized Developer ID ➜ specter-desktop git:(kn/mac_signing) ✗ ```

additional context and further references:

• https://developer.apple.com/videos/play/wwdc2019/703/ (30 min video "all about notarisation")

Did it ever worked?

Yes, it did. The original notarisation-process was built on "altool". However, for some reason, binaries which got signed with that process started to crash.

I've created an issue at apple

DESCRIPTION OF PROBLEM The DMG can be downloaded here: https://github.com/cryptoadvance/specter-desktop/releases/tag/v2.0.2-pre4 After installing it and starting it, it results in: ``` ------------------------------------- Translated Report (Full Report Below) ------------------------------------- Incident Identifier: 098A5E69-E3A3-4FAC-BB70-4A85FD2E9C36 CrashReporter Key: 0ECE6060-D469-9FCA-090A-DFE686CA0C88 Hardware Model: Mac14,9 Process: Specter [25891] Path: /Applications/Specter.app/Contents/MacOS/Specter Identifier: solutions.specter.desktop Version: 2.0.2-pre4 (2.0.2-pre4) Code Type: X86-64 (Native) Role: Default Parent Process: launchd [1] Coalition: solutions.specter.desktop [58761] Date/Time: 2023-06-28 13:57:30.0009 +0200 Launch Time: 2023-06-28 13:57:29.6777 +0200 OS Version: macOS 13.4 (22F66) Release Type: User Report Version: 104 Exception Type: EXC_CR ``` However at the time of signing, i got this jso-result back: ``` { "tool-version": "4.029.1194", "tool-path": "/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework", "success-message": "No errors getting notarization info.", "notarization-info": { "Status": "success", "Status Message": "Package Approved", "LogFileURL": "https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma116/v4/cc/ad/78/ccad781b-b1c4-7e4e-5f47-b2644f10e033/developer_log.json?accessKey=1688143920_4653658224769771469_dq5gv5qwSSLx%2F2%2Ft%2Bm946O%2B8jMVwX6msaTG2K83jgC4Mq%2BV%2FMw4m1F8FWhIPW%2FaO74vciaNYHdFf4XrawBdbU3GdmInRzdnqiIr%2BVZlZfSS6iI5gEVLNxDv6yLe5sf93TtVV13onU5N%2BLe5vT9M6OHwOAkmucHoHgemf%2BdxdXa4%3D", "Date": "2023-06-28T12:48:53.000Z", "RequestUUID": "97a93c1b-4806-4eb3-baa0-f185676ea0b1", "Status Code": 0, "Hash": "2240c7e15926eed5e1826f036359e81b50f9ded91d2589620cdbb81c1e853e91" }, "os-version": "10.15.7" } ``` The script which is building the whole app can be found here: https://github.com/cryptoadvance/specter-desktop/blob/master/utils/build-osx.sh The relevant part which doing the signing is here: https://github.com/cryptoadvance/specter-desktop/blob/master/utils/build-common.sh#L115-L168 STEPS TO REPRODUCE Download the dmg from above link, install and start. NAME AND APPLE ID OF APP specter-desktop

The answer from apple was not very precise.

unfold

Thank you for contacting Apple Developer Technical Support (DTS). Based on your request, we believe that your question is answered by the Apple Developer Forums discussion linked here: Resolving Trusted Execution Problems https://developer.apple.com/forums/thread/706442 If after reviewing this information you have further questions or persistent issues, and do not wish to follow up on the Developer Forums, please reply to this email and we will re-open this support inquiry, re-debiting a Technical Support Incident (TSI) if appropriate to do so.

After some digging, i decided to migrate from altool to notarytool and the result is the errormessage at the top of this ticket.

Understanding Provisiong Profiles

Just for the reference, some information about provisioning profiles. here are different profiles explained. For our use-case, it seems that the AdHoc profile might be the way to go.

ChatGPT spits out those references:

Development Provisioning Profile:

Apple Developer Documentation: https://developer.apple.com/documentation/xcode/understanding-and-creating-provisioning-profiles Ad Hoc Provisioning Profile:

Apple Developer Documentation: https://developer.apple.com/documentation/xcode/distributing-your-app-for-beta-testing Distribution Provisioning Profile:

Apple Developer Documentation: https://developer.apple.com/documentation/appstoreconnectapi/profiles

Relevant information nuggets:

• https://www.youtube.com/watch?v=Ys2p5bFhgjI

[k9ert]

I have some intermediate result. Several issues got mixed here:

• It seems that there is something like a "entitlement threshold". In our case, we added a URI-Handler (specter://...) to the entitlements. So removing it fixed the issue on the old intel based machine. This makes sense to me even without finding a documentation describing it.
• However it now crashes on the M2 machine which is unfortunate as all modern machines are no longer intel based.

So at least we can release again. We'll pick up the URL-Handler later and also the crash on M2.