search

indygreg / apple-platform-rs

Rust crates supporting Apple platform development
598 stars 49 forks source link

Issue with complex nested bundle(with e04ddb2 fix) #171

Open Yuuon opened 2 weeks ago

Yuuon commented 2 weeks ago

Hi there, Mentioned in #149 , we still have an issue when trying to notary our application with a new in-Unity browser plugin, which is heavily nested, with a file structure like:

VuplexWebViewMac.bundle
  |-- Contents
     |-- MacOS
       |-- VuplexWebViewMac
     |-- Frameworks
       |-- Vuplex WebView.app
         |-- Contents
           |-- MacOS
             |-- Vuplex WebView
           |-- Frameworks
             |-- Vuplex WebView Helper (GPU).app
               |-- Contents
                 |-- MacOS
                   |-- Vuplex WebView Helper (GPU)
             |-- Vuplex WebView Helper (Plugin).app
               |-- Contents
                 |-- MacOS
                   |-- Vuplex WebView Helper (Plugin)
             |-- Vuplex WebView Helper (Renderer).app
               |-- Contents
                 |-- MacOS
                   |-- Vuplex WebView Helper (Renderer)
             |-- Vuplex WebView Helper.app
               |-- Contents
                 |-- Mac OS
                   |-- Vuplex WebView Helper

Before we import the plugin, the notarization with this tool works fine.

Here are more details: OS: Ubuntu 22.04; Reproduce steps:

  1. Install latest cargo and rustc;
  2. Use cargo install --git https://github.com/indygreg/apple-platform-rs --branch main apple-codesign to install the latest version from main branch;
  3. With an application already built, run command: 
    rcodesign sign --for-notarization \
-e [path_to_entitlements] \
--code-signature-flags runtime \
--p12-file [path_to_p12_file] --p12-password-file [path_to_pwd_file] \
./Application.app

    then:

    rcodesign notary-submit \
--api-key-file [path_to_appstoreconnectkey] \
--staple \
Application.app

During the code sign, several messages related to this plugins show:

entering nested bundle Contents/PlugIns/VuplexWebViewMac.bundle/Contents/Frameworks/Vuplex WebView.app
signing bundle at ./Application.app/Contents/PlugIns/VuplexWebViewMac.bundle/Contents/Frameworks/Vuplex WebView.app into ./Application.app/Contents/PlugIns/VuplexWebViewMac.bundle/Contents/Frameworks/Vuplex WebView.app
could not find main executable of presumed nested bundle: Contents/Frameworks/Vuplex WebView Helper (GPU).app
could not find main executable of presumed nested bundle: Contents/Frameworks/Vuplex WebView Helper (Plugin).app
could not find main executable of presumed nested bundle: Contents/Frameworks/Vuplex WebView Helper (Renderer).app
could not find main executable of presumed nested bundle: Contents/Frameworks/Vuplex WebView Helper.app
signing Mach-O file Contents/MacOS/Vuplex WebView
creating cryptographic signature with certificate [certification Info]
bundle has no main executable to sign specially
leaving nested bundle Contents/PlugIns/VuplexWebViewMac.bundle/Contents/Frameworks/Vuplex WebView.app

and

entering nested bundle Contents/PlugIns/VuplexWebViewMac.bundle
signing bundle at ./Application.app/Contents/PlugIns/VuplexWebViewMac.bundle into ./Application.app/Contents/PlugIns/VuplexWebViewMac.bundle
could not find main executable of presumed nested bundle: Contents/Frameworks/Vuplex WebView.app
signing main executable Contents/MacOS/VuplexWebViewMac
creating cryptographic signature with certificate [certification Info]
creating cryptographic signature with certificate [certification Info]
leaving nested bundle Contents/PlugIns/VuplexWebViewMac.bundle

The most suspect thing is it's saying that could not find main executable in the nested bundle, but actually every bundle/app in this plugin has one.

And the notary result is still failed, same as what I've mentioned in #149 :

notary log>     {
notary log>       "architecture": "arm64",
notary log>       "code": null,
notary log>       "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
notary log>       "message": "The signature of the binary is invalid.",
notary log>       "path": "Application.app.zip/Application.app/Contents/PlugIns/VuplexWebViewMac.bundle/Contents/MacOS/VuplexWebViewMac",
notary log>       "severity": "error"
notary log>     },
notary log>     {
notary log>       "architecture": "x86_64",
notary log>       "code": null,
notary log>       "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
notary log>       "message": "The signature of the binary is invalid.",
notary log>       "path": "Application.app.zip/Application.app/Contents/PlugIns/VuplexWebViewMac.bundle/Contents/Frameworks/Vuplex WebView.app/Contents/MacOS/Vuplex WebView",
notary log>       "severity": "error"
notary log>     },

I just put part of the message here, the same error also happens for Vuplex WebView Helper, Vuplex WebView Helper (Plugin), Vuplex WebView Helper (GPU), Vuplex WebView Helper (Renderer), VuplexWebViewMac(just every Mach-O files in the bundle).

Using native method to codesign/notary the same application on Mac directly, code sign the nested bundle level by level works fine.