Sign releases

[indolering]

Since this requires root privileges, it would be ideal if you could sign the DMG. If you have an Apple developer ID, it would be nice if you could sign the binary as well.

[pallotron]

You are right helper requires root privileges and so the only way an application can install them is if they are signed by a trustee Apple developer id, which I bought just to be able to write this feature... On Wed 26 Aug 2015 at 02:45 Zach Lym notifications@github.com wrote:

Since this requires root privileges, it would be ideal if you could sign the DMG. If you have an Apple developer ID, it would be nice if you could sign the binary as well.

— Reply to this email directly or view it on GitHub https://github.com/pallotron/yubiswitch/issues/34.

[pallotron]

Only 0.9 is signed though

[indolering]

OS X doesn't think so:

But then there is this:

$ codesign -dv /Applications/yubiswitch.app
Executable=/Applications/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=428 flags=0x0(none) hashes=14+3 location=embedded
Signature size=4313
Signed Time=Aug 18, 2015, 2:09:08 AM
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=21
Internal requirements count=1 size=184

And signing the DMG with your GPG signature is the only way I can be sure you published it and not some other rando person who gave Apple $100 : )

[pallotron]

weird, this is how I've configured my Xcode project (I'm pretty n00b with Xcode, this is my first Objective-C project :P):

[pallotron]

[pallotron]

TeamIdentifier=T8ZNNBVE9Z

that is my Developer ID AFAIK

[pallotron]

$ codesign -dvvv /Applications/yubiswitch.app
Executable=/Applications/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=428 flags=0x0(none) hashes=14+3 location=embedded
Hash type=sha1 size=20
CDHash=6f506f4f8bb1473545e567292fd32c14d8fe67e5
Signature size=4313
Authority=Mac Developer: Angelo Failla (22Y3UXV6J8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 26, 2015, 10:52:48 AM
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=21
Internal requirements count=1 size=184

[indolering]

@pallotron I'm afraid this is the blind leading the blind, I've never done any OS X development : P

[pallotron]

@indolering : can you try downloading http://blog.angelofailla.com/download/yubiswitch_0.9.dmg and let me know if it still bitches about the signature?

thanks!

[pallotron]

(it turns out I have also to sign the .dmg file :D)

[pallotron]

this should be fixed. reopen if needed.

[jhelwig]

Should 0.10 & 0.11 also be signed, or is the plan to fully sign for > 0.11?

[pallotron]

They are both signed and all versions will be from now on On Sun 30 Aug 2015 at 00:57 Jacob Helwig notifications@github.com wrote:

Should 0.10 & 0.11 also be signed, or is the plan to fully sign for > 0.11?

— Reply to this email directly or view it on GitHub https://github.com/pallotron/yubiswitch/issues/34#issuecomment-136063388 .

[jhelwig]

That doesn't appear to be the case with at least 0.11. Downloaded it yesterday, and had to adjust the security settings to allow launching apps from anywhere to get it to run. Just re-downloaded it to confirm.

[pallotron]

that's weird, I had a friend trying it and it worked. Can you run codesign -dvvv /Applications/yubiswitch.app/ please?

Also run codesign -dvvv on the dmg file and report back in this task

[pallotron]

oh damn it I hate Xcode:

$ codesign -dvvv ~/Downloads/yubiswitch_0.11.dmg
/Users/pallotron/Downloads/yubiswitch_0.11.dmg: code object is not signed at all

Uploading a new signed dmg.

[pallotron]

I've uploaded new files, please try now...

[pallotron]

I think it should be fine now:

pallotron@pallotron-mba.dhcp.thefacebook.com:/tmp/test
$ wget https://github.com/pallotron/yubiswitch/releases/download/v0.12/yubiswitch_0.12.dmg
--2015-08-30 19:07:12--  https://github.com/pallotron/yubiswitch/releases/download/v0.12/yubiswitch_0.12.dmg
Resolving github.com... 192.30.252.130
Connecting to github.com|192.30.252.130|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/github-cloud/releases/12984615/e97d4e0c-4f49-11e5-9117-71ccc9b60c54.dmg?response-content-disposition=attachment%3B%20filename%3Dyubiswitch_0.12.dmg&response-content-type=application/octet-stream&AWSAccessKeyId=AKIAISTNZFOVBIJMK3TQ&Expires=1440961632&Signature=hScQKLterQRhSxdfBVujEsg5ePM%3D [following]
--2015-08-30 19:07:13--  https://s3.amazonaws.com/github-cloud/releases/12984615/e97d4e0c-4f49-11e5-9117-71ccc9b60c54.dmg?response-content-disposition=attachment%3B%20filename%3Dyubiswitch_0.12.dmg&response-content-type=application/octet-stream&AWSAccessKeyId=AKIAISTNZFOVBIJMK3TQ&Expires=1440961632&Signature=hScQKLterQRhSxdfBVujEsg5ePM%3D
Resolving s3.amazonaws.com... 54.231.11.0
Connecting to s3.amazonaws.com|54.231.11.0|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1401226 (1.3M) [application/octet-stream]
Saving to: 'yubiswitch_0.12.dmg'

yubiswitch_0.12.dmg                                100%[==================================================================================================================>]   1.34M  1.17MB/s   in 1.1s

2015-08-30 19:07:15 (1.17 MB/s) - 'yubiswitch_0.12.dmg' saved [1401226/1401226]

[Exit code 0 @ 19:07:15]

pallotron@pallotron-mba.dhcp.thefacebook.com:/tmp/test
$ hdiutil attach yubiswitch_0.12.dmg
Checksumming Driver Descriptor Map (DDM : 0)…
     Driver Descriptor Map (DDM : 0): verified   CRC32 $AD489E44
Checksumming Apple (Apple_partition_map : 1)…
..
     Apple (Apple_partition_map : 1): verified   CRC32 $C5E591DC
Checksumming disk image (Apple_HFS : 2)…
..........................................................................................................................................................................................................
          disk image (Apple_HFS : 2): verified   CRC32 $AF0D3692
Checksumming  (Apple_Free : 3)…
                    (Apple_Free : 3): verified   CRC32 $00000000
verified   CRC32 $D14FA073
/dev/disk5              Apple_partition_scheme
/dev/disk5s1            Apple_partition_map
/dev/disk5s2            Apple_HFS                       /Volumes/yubiswitch
[Exit code 0 @ 19:07:29]

pallotron@pallotron-mba.dhcp.thefacebook.com:/tmp/test
$ codesign -dvvv /Volumes/yubiswitch/yubiswitch.app/
Executable=/Volumes/yubiswitch/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=448 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha1 size=20
CDHash=590915aad550d130aebadb90e1d664b229358139
Signature size=4313
Authority=Mac Developer: Angelo Failla (22Y3UXV6J8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 30, 2015, 7:02:42 PM
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=18
Internal requirements count=2 size=576
[Exit code 0 @ 19:07:35]

[jhelwig]

I just re-downloaded 0.9 - 0.12, and it appears that none of the DMGs are signed?

% codesign -dvvv ~/Downloads/yubiswitch_0.9.dmg
/Users/jacobhelwig/Downloads/yubiswitch_0.9.dmg: code object is not signed at all
1 % codesign -dvvv ~/Downloads/yubiswitch_0.10.dmg
/Users/jacobhelwig/Downloads/yubiswitch_0.10.dmg: code object is not signed at all
1 % codesign -dvvv ~/Downloads/yubiswitch_0.11.dmg
/Users/jacobhelwig/Downloads/yubiswitch_0.11.dmg: code object is not signed at all
1 % codesign -dvvv ~/Downloads/yubiswitch_0.12.dmg
/Users/jacobhelwig/Downloads/yubiswitch_0.12.dmg: code object is not signed at all

I get the same results for codesign when checking yubiswitch.app after extracting it from the 0.12 DMG, but it won't open without adjusting the security settings.

Wondering if we running into CDN propagation issues?

[pallotron]

No, I think it's just a case of dmg signature getting lost at download. code signature is a flag that gets assigned to extended attributes in the filesystem... that get lost when you upload to the internet. Only the .app inside the dmg should be signed. you always get a notification the first time you download anything, what are you security settings?

See http://stackoverflow.com/questions/23951105/os-x-dmg-signature-lost-after-download

[pallotron]

is the .app inside the dmg at least signed?

[pallotron]

In general, you don't sign the disk image itself; you sign the files inside it. After the image is downloaded, the signature on the individual items will be checked as they are used.

While you can sign the disk image itself (with codesign -s "Developer ID Application: [your company]" example.dmg), the signature this creates is stored in the form of extended attributes attached to the image file. Actually, it creates three xattrs, named com.apple.cs.CodeDirectory, com.apple.cs.CodeRequirements, and com.apple.cs.CodeSignature. The critical thing to realize is that these attributes are filesystem metadata -- that is, they're attached to the file, not part of the file's contents. The HTTP protocol has very limited support for filesystem metadata, so when you upload or download via HTTP (or FTP or...), it only transfers the file's contents, and the xattrs are lost.

You can see the xattrs with the ls -l@ command (and in even more detail with the xattr command):

$ ls -l@ example.dmg
-rw-r--r--@ 1 gordon  staff  338590 Nov 13  2013 example.dmg
        com.apple.cs.CodeDirectory         120 
        com.apple.cs.CodeRequirements      172 
        com.apple.cs.CodeSignature        8515 
        com.apple.diskimages.fsck           20 
        com.apple.diskimages.recentcksum         81

After downloading, the image will have lost those attributes (and probably gained com.apple.quarantine and com.apple.metadata:kMDItemWhereFroms from the download process), and hence will not be considered signed. The files contained in it, on the other hand, should still be properly signed (since their signatures are part of the image file's contents.)

[jhelwig]

% codesign -dvvv /Applications/yubiswitch.app
Executable=/Applications/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=448 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha1 size=20
CDHash=590915aad550d130aebadb90e1d664b229358139
Signature size=4313
Authority=Mac Developer: Angelo Failla (22Y3UXV6J8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 30, 2015, 11:02:42
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=18
Internal requirements count=2 size=576

If I switch to allow from anywhere, open the app, then switch back to only App Store & identified developers, then I never get the cannot open dialog again for yubiswitch until I upgrade to a new version.

[pallotron]

I honestly don't know, the application is signed how you can see from your last command :(

[pallotron]

there is one more thing I can try, which is signing using Developer ID and not "Mac App store"

[pallotron]

Hey @jhelwig can you try downloading http://blog.angelofailla.com/download/yubiswitch_0.12.dmg and let me know if you still have the issue?

[jhelwig]

That one worked.

% codesign -dvvv /Applications/yubiswitch.app
Executable=/Applications/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=448 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha1 size=20
CDHash=bd8d25476cf17c7ea9de1af93a1e3e12af7b9c37
Signature size=8525
Authority=Developer ID Application: Angelo Failla (T8ZNNBVE9Z)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Aug 30, 2015, 13:12:42
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=18
Internal requirements count=2 size=608

Did prompt about the helper, but was able to get past the security check with it still set to "Mac App Store and identified developers".

[pallotron]

Ok so the trick was to sign as "Developer ID" instead of "Mac App Store"