Pipeline engine fails to start up

[ways2read]

Installed Pipeline app 1.3.0 for my mac running Sonoma 14.4.1. I notice that the installer is not signed and is from an unidentified developer. I authorize the installer via System settings / Privacy and security and the new version appears to install OK.

I launch Pipeline but it never gets beyond "Starting the engine". I rebooted and no change.

[marisademeglio]

Thanks for the report. What I'm finding is that the original file works locally without complaints, but as soon as I upload it to somewhere (github, dropbox) and download it and run it, I get the same error as you. I don't know if something changed in the mac universe that would affect this process - we are creating the package file installer like we have in the past, via Apple's signing + notarization with our team account. So it is indeed signed and from an identified developer, even though it's complaining that it's not. We will have to investigate this further.

@bertfrees @rdeltour @NPavie can you try it out from our official release page? And note here which macOS you have. I have the same as @ways2read, Sonoma 14.4.1.

I am not sure about the problem starting the engine. That doesn't happen for me even after authorizing the installer and starting the app.

[GeorgeKerscher]

Hi,

When I installed on Windows, I too had to select more and say OK to the unsigned software.

Best George

[danielweck]

pkgutil --check-signature daisy-pipeline-1.3.0-mac.pkg

==>

   Status: no signature

syspolicy_check distribution daisy-pipeline-1.3.0-mac.pkg

App has failed one or more pre-distribution checks.
---------------------------------------------------------------
Codesign Error
    Severity: Fatal 
    Full Error: File is not signed at all. 
    Type: Notary Error 

Notary Ticket Missing
    Severity: Fatal 
    Full Error: A Notarization ticket is not stapled to this application. 
    Type: Distribution Error 

spctl -a -vvv -t open --context context:primary-signature daisy-pipeline-1.3.0-mac.pkg

spctl -a -vvv -t install daisy-pipeline-1.3.0-mac.pkg

==>

daisy-pipeline-1.3.0-mac.pkg: rejected
source=no usable signature

codesign -dv --verbose=4 daisy-pipeline-1.3.0-mac.pkg

==>

code object is not signed at all

xattr -l daisy-pipeline-1.3.0-mac.pkg ==> com.apple.quarantine

To remove the quarantine flag and install the PKG:

xattr -dr com.apple.quarantine daisy-pipeline-1.3.0-mac.pkg

[danielweck]

syspolicy_check distribution DAISY\ Pipeline.app ==>

App passed all pre-distribution checks and is ready for distribution.

spctl -a -vvv -t open --context context:primary-signature DAISY\ Pipeline.app

spctl -a -vvv -t install DAISY\ Pipeline.app

==>

DAISY Pipeline.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: US Fund for DAISY (SAMG8AWD69)

codesign -dv --verbose=4 DAISY\ Pipeline.app

==>

Identifier=org.daisy.pipeline-ui
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=481 flags=0x10000(runtime) hashes=4+7 location=embedded
VersionPlatform=1
VersionMin=658688
VersionSDK=787200
Hash type=sha256 size=32
CandidateCDHash sha256=5c8d877e3db01591b2e2ccf6cce8c0fadd2580c2
CandidateCDHashFull sha256=5c8d877e3db01591b2e2ccf6cce8c0fadd2580c2ff258422d162cc59bafc468d
Hash choices=sha256
CMSDigest=5c8d877e3db01591b2e2ccf6cce8c0fadd2580c2ff258422d162cc59bafc468d
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=8192
Executable Segment flags=0x1
Page size=4096
CDHash=5c8d877e3db01591b2e2ccf6cce8c0fadd2580c2
Signature size=8984
Authority=Developer ID Application: US Fund for DAISY (SAMG8AWD69)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=26 Apr 2024 at 18:26:39
Notarization Ticket=stapled
Info.plist entries=30
TeamIdentifier=SAMG8AWD69
Runtime Version=12.3.0
Sealed Resources version=2 rules=13 files=306
Internal requirements count=1 size=184

[marisademeglio]

Interesting, thanks @danielweck - so the app is signed but the pkg is not?

[danielweck]

I'm running Sonoma 14.4.1 (23E224), MacBookPro Intel Core i5 (I mention the architecture because I had AppleSilicon-specific code-signing / notarization issues for an Electron app that didn't have some hardened entitlements. I don't think that's your problem here. The APP is code-signed and notarized but not the PKG installer, it seems.

[marisademeglio]

We use electron to create installers and it appears that it does not support notarizing pkg files, although I did not see any complaints for our previous release which used pkg (first appeared in Pipeline v 1.2.7; before that, we used dmg).

https://github.com/electron/notarize/issues/60

[danielweck]

https://github.com/daisy/pipeline-ui/blob/4bd804df313390476b4b47b1a0c4dcee4e89ce0a/electron-builder.js#L26

Maybe add "sign": true here?

[marisademeglio]

https://github.com/daisy/pipeline-ui/blob/4bd804df313390476b4b47b1a0c4dcee4e89ce0a/electron-builder.js#L26

Maybe add "sign": true here?

configuration.pkg has an unknown property 'sign'. These properties are valid:
object { allowAnywhere?, allowCurrentUserHome?, allowRootDirectory?, artifactName?, background?, conclusion?, hasStrictIdentifier?, identity?, installLocation?, isRelocatable?, isVersionChecked?, license?, mustClose?, overwriteAction?, productbuild?, publish?, scripts?, welcome? }

[danielweck]

https://github.com/daisy/pipeline-ui/blob/4bd804df313390476b4b47b1a0c4dcee4e89ce0a/electron-builder.js#L19

Maybe add entitlements here?

"entitlements": "./entitlements.mac.plist",
"entitlementsInherit": "./entitlements.mac.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
  </dict>
</plist>

[marisademeglio]

We may be able to upgrade electron (or something) and get support for this.

The fix here was made available in electron-notarize 2.3.0: https://github.com/electron/notarize/pull/169

[marisademeglio]

https://github.com/daisy/pipeline-ui/blob/4bd804df313390476b4b47b1a0c4dcee4e89ce0a/electron-builder.js#L19

Maybe add entitlements here?

"entitlements": "./entitlements.mac.plist",
"entitlementsInherit": "./entitlements.mac.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
  </dict>
</plist>

No luck here either. And that's what our plist file looks like too.

[marisademeglio]

Confirm that this is also an issue with 1.2.7 on mac, that was never reported.

Opened a new issue specifically for pkg installers: https://github.com/daisy/pipeline-ui/issues/224

Other issues in this thread that are unexplored as of now:

• engine not starting (could not reproduce)
• windows installer reported as unsigned
  • confirmed on our end
  • EDIT: resolved

[marisademeglio]

@ways2read could you check with the latest windows installer if you still have an issue with the engine not starting?

[ways2read]

My Windows installations work fine. I just reinstalled the latest mac version and the engine still does not start. :(

[ways2read]

I removed my existing Pipeline installation, restarted and reinstalled. The settings were retained so I clearly didn't remove those. Pipeline app is now working as expected.