AdriaandeJongh
commented
8 months ago @cyberpuffin-digital did you end up finding a workaround for this? It could be that you need to codesign all the frameworks before you notarize.
Closed cyberpuffin-digital closed 8 months ago
AdriaandeJongh
commented
8 months ago @cyberpuffin-digital did you end up finding a workaround for this? It could be that you need to codesign all the frameworks before you notarize.
bruvzg
commented
8 months ago Singing seems to be working fine (passes local validation), I do not have proper Apple account and can't test notarization. It's possible that it is caused by missing Resources/Info.plist in the SQLite frameworks.
AdriaandeJongh
commented
8 months ago I just tried to notarize with the popular GodotSteam addon and that fails for pretty much the exact same reason:
{
"logFormatVersion": 1,
"jobId": "37eced4c-005a-469d-85db-6270676f6f02",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "td.dmg",
"uploadDate": "2024-01-23T14:47:00.886Z",
"sha256": "d5ebea08f0420966ecea90cb3462f5ad073dc8fea243cb737b0ce3a67d89fc93",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "td.dmg/td-gdscript.app/Contents/Frameworks/libgodotsteam.framework/libgodotsteam",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "td.dmg/td-gdscript.app/Contents/Frameworks/libgodotsteam.framework/libgodotsteam",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
}
]
}When I ran into this issue with my game built in Unity, the solution to this was to codesign all the frameworks / binaries individually, but I just tried this and it didn't work. Maybe (probably) I wasn't doing it right, but I don't understand enough about code signing to really dig deeper into this.
This issue doesn't matter much for Steam builds specifically as Steam installs the app for you so notarization isn't required. But for any macOS game releasing outside of Steam, this is going to be a major deal breaker.
cyberpuffin-digital
commented
8 months ago @AdriaandeJongh I'm sorry, I haven't progressed on this problem as I'm not sure how to proceed. Cryptography is a pain.
AdriaandeJongh
commented
8 months ago Ah, dang. Well, if I ever want to release my game on GOG, this will have to get fixed somehow... @bruvzg is there something I can do to help debug this? Perhaps sponsor a year of Apple Developer for you? 😏
bruvzg
commented
8 months ago Have you tried adding .plists to framework, this is the only idea I have:
In case of this test project:
Add Resource subfolders with the Info.plist to the frameworks in the /addons/godot-sqlite/bin/
Info.plist should contain something like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>libgdsqlite.macos.template_debug</string>
<key>CFBundleIdentifier</key>
<string>org.test.gdsqlite</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>libgdsqlite.macos.template_debug</string>
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>1.0.0</string>
<key>CFBundleSupportedPlatforms</key>
<array>
<string>MacOSX</string>
</array>
<key>CFBundleVersion</key>
<string>1.0.0</string>
<key>LSMinimumSystemVersion</key>
<string>10.12</string>
</dict>
</plist>Note CFBundleExecutable, which should contain library binary name, and CFBundleIdentifier which should be valid identifier.
cyberpuffin-digital
commented
8 months ago @bruvzg thank you, this seems to have worked (cc: @AdriaandeJongh).
I created <project root>/addons/godot-sqlite/bin/libgdsqlite.macos.template_debug.framework/Resources/Info.plist as you described and I was able to notarize the app.
Still need to verify gatekeeper is happy on another machine, but running spctl --assess --type install --context context:primary-signature -v accessible_sudoku.dev.dmg yields:
accessible_sudoku.dev.dmg: accepted source=Notarized Developer ID
The notary log seems to indicate everything is good too; xcrun notarytool log "${request_uid}" --issuer "${issuer_id}" --key-id "${key_id}" --key "${key_path}":
{
"logFormatVersion": 1,
"jobId": “[removed]“,
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "accessible_sudoku.dev.dmg",
"uploadDate": "2024-02-02T18:44:55.082Z",
"sha256": "cc30705eaaeeddee3ccf59ed5b03be90d8bdbb8864f4d55109f90e9da9badc86",
"ticketContents": [
{
"path": "accessible_sudoku.dev.dmg",
"digestAlgorithm": "SHA-256",
"cdhash": "ff5443976bdeb6d2349fcb1a0dfd47d9ffa59549"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app",
"digestAlgorithm": "SHA-256",
"cdhash": "80067cc90599fd0bb8f94a3c90e171fb27efeaea",
"arch": "x86_64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app",
"digestAlgorithm": "SHA-256",
"cdhash": "e9b549fb1aca929d6c7fd07217189815c030cb52",
"arch": "arm64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/Frameworks/libgdsqlite.macos.template_debug.framework",
"digestAlgorithm": "SHA-256",
"cdhash": "518804f79c7fa43c621ca14a4423fdbb685a3b0e",
"arch": "x86_64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/Frameworks/libgdsqlite.macos.template_debug.framework",
"digestAlgorithm": "SHA-256",
"cdhash": "b39388c5603c66ffdf84cbc52813de188519266b",
"arch": "arm64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/Frameworks/libgdsqlite.macos.template_debug.framework/libgdsqlite.macos.template_debug",
"digestAlgorithm": "SHA-256",
"cdhash": "518804f79c7fa43c621ca14a4423fdbb685a3b0e",
"arch": "x86_64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/Frameworks/libgdsqlite.macos.template_debug.framework/libgdsqlite.macos.template_debug",
"digestAlgorithm": "SHA-256",
"cdhash": "b39388c5603c66ffdf84cbc52813de188519266b",
"arch": "arm64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/MacOS/Accessible Sudoku",
"digestAlgorithm": "SHA-256",
"cdhash": "80067cc90599fd0bb8f94a3c90e171fb27efeaea",
"arch": "x86_64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/MacOS/Accessible Sudoku",
"digestAlgorithm": "SHA-256",
"cdhash": "e9b549fb1aca929d6c7fd07217189815c030cb52",
"arch": "arm64"
}
],
"issues": null
}We probably should auto generate missing .plists (with a warning, since it's an extension issue), like we already do when converting .dylibs to .frameworks in the iOS exporter.
Godot version
4.1.1.stable
System information
MacOS Ventura 13.5.2, Apple M2 (Mac mini)
Issue description
When I try to export my game using the Godot-Sqlite extension (https://github.com/2shady4u/godot-sqlite) the process continually fails at the Notarization step.
I have verified I'm using the correct certificate based on
security find-identity -v -p codesigningoutput, evidenced by the notarization log reducing from four errors (two complaining when I used the wrong certificate) to two which invariably complain the extension is not signed:I've tried variations of the following entitlements, including all of them:
The above error did not change in any case.
Here is the same report for the attached Minimal Project:
Steps to reproduce
Add the Godot-SQLite extension and export a Mac project with Code Signing and Notarization.
Minimal reproduction project
minimal_mac_export.zip
Couldn't attach the zip with the add-on installed, as it was too big. The attached project will need the SQLite add-on installed via the asset store.