Closed cyberpuffin-digital closed 8 months ago
@cyberpuffin-digital did you end up finding a workaround for this? It could be that you need to codesign all the frameworks before you notarize.
Singing seems to be working fine (passes local validation), I do not have proper Apple account and can't test notarization. It's possible that it is caused by missing Resources/Info.plist
in the SQLite frameworks.
I just tried to notarize with the popular GodotSteam addon and that fails for pretty much the exact same reason:
{
"logFormatVersion": 1,
"jobId": "37eced4c-005a-469d-85db-6270676f6f02",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "td.dmg",
"uploadDate": "2024-01-23T14:47:00.886Z",
"sha256": "d5ebea08f0420966ecea90cb3462f5ad073dc8fea243cb737b0ce3a67d89fc93",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "td.dmg/td-gdscript.app/Contents/Frameworks/libgodotsteam.framework/libgodotsteam",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "td.dmg/td-gdscript.app/Contents/Frameworks/libgodotsteam.framework/libgodotsteam",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
}
]
}
When I ran into this issue with my game built in Unity, the solution to this was to codesign all the frameworks / binaries individually, but I just tried this and it didn't work. Maybe (probably) I wasn't doing it right, but I don't understand enough about code signing to really dig deeper into this.
This issue doesn't matter much for Steam builds specifically as Steam installs the app for you so notarization isn't required. But for any macOS game releasing outside of Steam, this is going to be a major deal breaker.
@AdriaandeJongh I'm sorry, I haven't progressed on this problem as I'm not sure how to proceed. Cryptography is a pain.
Ah, dang. Well, if I ever want to release my game on GOG, this will have to get fixed somehow... @bruvzg is there something I can do to help debug this? Perhaps sponsor a year of Apple Developer for you? 😏
Have you tried adding .plist
s to framework, this is the only idea I have:
In case of this test project:
Add Resource
subfolders with the Info.plist
to the frameworks
in the /addons/godot-sqlite/bin/
Info.plist
should contain something like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>libgdsqlite.macos.template_debug</string>
<key>CFBundleIdentifier</key>
<string>org.test.gdsqlite</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>libgdsqlite.macos.template_debug</string>
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>1.0.0</string>
<key>CFBundleSupportedPlatforms</key>
<array>
<string>MacOSX</string>
</array>
<key>CFBundleVersion</key>
<string>1.0.0</string>
<key>LSMinimumSystemVersion</key>
<string>10.12</string>
</dict>
</plist>
Note CFBundleExecutable
, which should contain library binary name, and CFBundleIdentifier
which should be valid identifier.
@bruvzg thank you, this seems to have worked (cc: @AdriaandeJongh).
I created <project root>/addons/godot-sqlite/bin/libgdsqlite.macos.template_debug.framework/Resources/Info.plist
as you described and I was able to notarize the app.
Still need to verify gatekeeper is happy on another machine, but running spctl --assess --type install --context context:primary-signature -v accessible_sudoku.dev.dmg
yields:
accessible_sudoku.dev.dmg: accepted source=Notarized Developer ID
The notary log seems to indicate everything is good too; xcrun notarytool log "${request_uid}" --issuer "${issuer_id}" --key-id "${key_id}" --key "${key_path}"
:
{
"logFormatVersion": 1,
"jobId": “[removed]“,
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "accessible_sudoku.dev.dmg",
"uploadDate": "2024-02-02T18:44:55.082Z",
"sha256": "cc30705eaaeeddee3ccf59ed5b03be90d8bdbb8864f4d55109f90e9da9badc86",
"ticketContents": [
{
"path": "accessible_sudoku.dev.dmg",
"digestAlgorithm": "SHA-256",
"cdhash": "ff5443976bdeb6d2349fcb1a0dfd47d9ffa59549"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app",
"digestAlgorithm": "SHA-256",
"cdhash": "80067cc90599fd0bb8f94a3c90e171fb27efeaea",
"arch": "x86_64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app",
"digestAlgorithm": "SHA-256",
"cdhash": "e9b549fb1aca929d6c7fd07217189815c030cb52",
"arch": "arm64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/Frameworks/libgdsqlite.macos.template_debug.framework",
"digestAlgorithm": "SHA-256",
"cdhash": "518804f79c7fa43c621ca14a4423fdbb685a3b0e",
"arch": "x86_64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/Frameworks/libgdsqlite.macos.template_debug.framework",
"digestAlgorithm": "SHA-256",
"cdhash": "b39388c5603c66ffdf84cbc52813de188519266b",
"arch": "arm64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/Frameworks/libgdsqlite.macos.template_debug.framework/libgdsqlite.macos.template_debug",
"digestAlgorithm": "SHA-256",
"cdhash": "518804f79c7fa43c621ca14a4423fdbb685a3b0e",
"arch": "x86_64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/Frameworks/libgdsqlite.macos.template_debug.framework/libgdsqlite.macos.template_debug",
"digestAlgorithm": "SHA-256",
"cdhash": "b39388c5603c66ffdf84cbc52813de188519266b",
"arch": "arm64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/MacOS/Accessible Sudoku",
"digestAlgorithm": "SHA-256",
"cdhash": "80067cc90599fd0bb8f94a3c90e171fb27efeaea",
"arch": "x86_64"
},
{
"path": "accessible_sudoku.dev.dmg/Accessible Sudoku.app/Contents/MacOS/Accessible Sudoku",
"digestAlgorithm": "SHA-256",
"cdhash": "e9b549fb1aca929d6c7fd07217189815c030cb52",
"arch": "arm64"
}
],
"issues": null
}
We probably should auto generate missing .plist
s (with a warning, since it's an extension issue), like we already do when converting .dylib
s to .framework
s in the iOS exporter.
Godot version
4.1.1.stable
System information
MacOS Ventura 13.5.2, Apple M2 (Mac mini)
Issue description
When I try to export my game using the Godot-Sqlite extension (https://github.com/2shady4u/godot-sqlite) the process continually fails at the Notarization step.
I have verified I'm using the correct certificate based on
security find-identity -v -p codesigning
output, evidenced by the notarization log reducing from four errors (two complaining when I used the wrong certificate) to two which invariably complain the extension is not signed:I've tried variations of the following entitlements, including all of them:
The above error did not change in any case.
Here is the same report for the attached Minimal Project:
Steps to reproduce
Add the Godot-SQLite extension and export a Mac project with Code Signing and Notarization.
Minimal reproduction project
minimal_mac_export.zip
Couldn't attach the zip with the add-on installed, as it was too big. The attached project will need the SQLite add-on installed via the asset store.