Open machawk1 opened 1 year ago
After modifying the binary file names from each of the version built and installed from homebrew as well as the version built from the current HEAD of the main branch (4e5556b2), the results are different:
% spctl --assess /Applications/WAIL_from_homebrew.app
/Applications/WAIL_from_homebrew.app: rejected
% spctl --assess /Applications/WAIL_from_src.app
/Applications/WAIL_from_src.app: invalid Info.plist (plist or signature have been modified)
I am not certain of whether any codesigning procedure is executed in the build process but the Info.plist is modified by the build script for file (e.g., WARC) association and more descriptive copyright information.
EDIT: Preventing the plist file from being replaced by the shell build script and retaining the original file generated from pyinstalled produces a rejection like the above:
% spctl --assess /Applications/WAIL.app
/Applications/WAIL.app: rejected
I disabled the Info.plist copy in the MAKEFILE and installed and signed via an Apple Developer certificate via modifying the build script to use:
pyinstaller -p bundledApps ./bundledApps/WAIL.py --codesign CJN5C23SY3 --onefile --windowed --clean --target-arch universal2 --icon="./build/icons/wail_blue.icns"
...with the certificate installed on the system. The error still seems to remain:
% spctl --assess /Applications/WAIL.app
/Applications/WAIL.app: rejected
I re-enabled the Info.plist copy in the build script and am attempting to sign the app after building with pyinstaller. After getting my id to appear when using security find-identity -p basic -v
, I ran:
codesign --deep --force --options=runtime --entitlements ~/Downloads/entitlements.plist --sign "THEIDWASHERE" --timestamp /Applications/WAIL.app
...and received the messages:
/Applications/WAIL.app: replacing existing signature
/Applications/WAIL.app: unsealed contents present in the bundle root
Re-running the validation script after the above:
% spctl --assess /Applications/WAIL.app
/Applications/WAIL.app: invalid Info.plist (plist or signature have been modified)
When I repeated the above procedure with the Info.plist copy in the build script, the result was:
spctl --assess /Applications/WAIL.app
/Applications/WAIL.app: rejected
Per https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow , the altool has been deprecated since November 2023. Look at this link for a newer notarization workflow.
...installs the latest release v0.2019.05.21, which is very obsolete from the repo HEAD. On macOS 13.1 x86, after installing via homebrew and double-clicking on the app, a warning appears:
This is easily circumvented by right-clicking on the icon and selecting "open", again presented with a warning, but this first impression is not ideal.
I believe the application needs to be notarized (see notes in #446) or some other process of verification to prevent this warning.