Diferentiate between Intel and ARM in macOS packages

[DFolchA]

On the packages list page, the macOS packages are indicated as 64bits. This may be confusing for the user because the term 64bits is used in both Intel and ARM architectures.

We need to specify that the packages are Intel based and clarify that they can be used in Apple Silicon systems through the use of Rosetta.

[sempervictus]

Its actually not entirely clear that this even works on M1 macs - i get the sense that TCC doesn't permit it to read inside user directories on those, though thats anecdotal. @vikman90 - do you happen to know who owns the mac agent side of the effort, and if so, could you possibly flag this ticket for their attention? I think there are some things that might need fixing on the mac side both in terms of silicon and OS restrictions around the agent itself.

[vikman90]

Hi @sempervictus, we had permission-related issues on macOS since Catalina (https://github.com/wazuh/wazuh-qa/issues/217) that we managed to fix by notarizing our package (https://github.com/wazuh/wazuh-packages/issues/316).

However, we plan to provide a native agent for M1:

• https://github.com/wazuh/wazuh/issues/15055

Best!

[giladreich]

Commenting just for the record, as there was nothing mentioned about universal FAT binaries: https://github.com/wazuh/wazuh-kibana-app/issues/5202#issuecomment-1568361588

Note that from my experience the notarytool is dealing well with FAT binaries and there is no need to notarizing them individually, rather just the final binary that was lipoed with multiple architectures and lastly codesign.

[giladreich]

Here is a snippet how I did it from a GH Action after the final FAT binary was produced with lipo (I would never recommend using this in a public repo to avoid pipeline poisoning attacks):

      - name: Notarize & Codesign
        run: |
          set -ex
          echo -n "${{ secrets.CERT_P12 }}" | base64 --decode -o cert.p12
          security create-keychain -p "${{ secrets.KEYCHAIN_PWD }}" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "${{ secrets.KEYCHAIN_PWD }}" build.keychain
          security import cert.p12 -k build.keychain -P "${{ secrets.CERT_P12_PWD }}" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.KEYCHAIN_PWD }}" build.keychain

          xcrun notarytool store-credentials "notarytool-profile" \
            --apple-id "my.apple.id@email.com" \
            --team-id "${{ secrets.APP_TEAM_ID }}" \
            --password "${{ secrets.APP_SPECIFIC_PWD }}"

          /usr/bin/codesign --force -s "${{ secrets.IDENTITY_ID }}" --options runtime path/to/binary -v
          zip -r binary-submit.zip path/to/binary
          xcrun notarytool submit binary-submit.zip --keychain-profile "notarytool-profile" --wait
          # xcrun notarytool log $uuid --keychain-profile "notarytool-profile"

/cc @vikman90

EDIT: I see you already have it implemented part of a shell script.