Version 6.0.0 doesn't run on Apple Silicon

macmade commented 4 days ago

It seems that the latest version does not run on Apple Silicon. I'm using a MacBook Air M2, running on macOS Sonoma 14.6.1.

“LuckyStackWorker.app” is damaged and can’t be opened. You should move it to the Trash.

The Intel version run fine, but I need to allow it to run in the Gatekeeper's preferences as it's not codesigned:

codesign -dv LuckyStackWorkerIntel.app
LuckyStackWorkerIntel.app: code object is not signed at all

The ARM version seems to be codesigned, but in an invalid way:

codesign -dv LuckyStackWorkerARM.app
Executable=/Users/macmade/Desktop/LuckyStackWorkerARM.app/Contents/MacOS/LuckyStackWorker
Identifier=Electron
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=513 flags=0x20002(adhoc,linker-signed) hashes=13+0 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none

SPCTL gives the following info:

spctl --assess -v LuckyStackWorkerARM.app
LuckyStackWorkerARM.app: code has no resources but signature indicates they must be present

wkasteleijn commented 4 days ago

Thanks macmade. I will look into it. This is interesting, why would it work fine on intel but not on arm? I used the exact same packaging (electron-packager), with the correct architecture id (arm64).

wkasteleijn commented 4 days ago

macmade I cannot find any reason for the corrupt arm package. I suspect that the electron-packager library doesn't work properly anymore. So I may consider using another packager instead. But this isn't solved easily, I will need to find somebody that owns an M1/M2 to help me out. In the meantime you can run the intel version of the app using Rosetta. I will update the installation instructions on the release page to instruct arm owners to do so. Thanks a lot for notifying me about it!

macmade commented 3 days ago

Code signing is usually a pain on Apple platforms. Don't hesitate if you need additional testing on an M2!

wilco-h4h commented 3 days ago

Thanks for that Macmade. I would like to verify if the x64 version works properly on the M2. You already mentioned that "the Intel version runs fine, but...". Did you use Rosetta for that? Also:

Can you open one of your 16-bit image stacks produced by stacking software (Autostakkert, PlanetarySystemStacker)
Make some adjustments
Save the result
Press the Start batch button on the bottom left of the control panel and see that it produced a subfolder lsw_
containing the processed endresult also.
If that works than at least the x64 version can serve as a fallback until I have the packaging issue worked out. It probably requires using a different one.. Regards, Wilco.

wilco-h4h commented 2 days ago

@macmade I investigated this a bit further and it looks like my initial assumption on the electron-packager creating a corrupt LuckyStackWorker.app file isn't correct. Apparently this is a common issue with unsigned apps on arm64. I'm not familiar at all with code signing on the mac, but from what it looks like I am now forced to perform some form of code signing anyway, at least for arm64. Is there a way to do this without requiring me to actually buy a certificate?
macmade commented 2 days ago
Unsigned apps are becoming a pain to open, but this is another issue. The Intel version is unsigned. Once you authorize it via the System Settings, it launches.

But it looks like the ARM version is signed with an AdHoc signature, as you can see using codesign -dv.
```
CodeDirectory v=20400 size=513 flags=0x20002(adhoc,linker-signed) hashes=13+0 location=embedded
Signature=adhoc
```
But it also looks like the code signature is somehow broken. I know nothing about Electron apps, so I'm unsure why...
macmade commented 2 days ago

Well, code signing is mandatory on Apple Silicon since macOS 11. Apparently, the linker can generate a signature by itself if none are provided.

This explains the AdHoc signature. However, AdHoc signed applications are not meant to be distributed.

The easiest way would be to get a certificate through Apple's Developer Program, indeed. This would also make the Intel version easier to open on recent macOS versions.

wkasteleijn commented 2 days ago

@macmade The developer program apparently limits the usage to max. 100 devices. I now learnt that entering the following command from the command line will also unblock the app from running:

sudo xattr -r -d com.apple.quarantine /Applications/LuckyStackWorker.app

Would you be willing to give it a try? If this works, it far from ideal as a bypass, but it is at least something.

On the intel you can unblock the app by holding the ^ key while starting it. It will then warn you that the app is unsigned and you can start it at your own risk. That's much better then presenting the user with a misleading message about the file being damaged. It is also strange that this works differently on the M2, while being the exact same OS...

macmade commented 2 days ago

The developer program apparently limits the usage to max. 100 devices.

That's only for provisioning certificates. A DeveloperID certificate can be used for unlimited distribution - this is how distributing software on a Mac works outside of the AppStore.

Removing the quarantine flag works, although spctl still reports errors with the bundle. Far from ideal, indeed.

macmade commented 2 days ago

I’m actually surprised it works by removing the flag. On Intel, it’s a bit different since they allow unsigned apps to run, with some convoluted user actions. On Apple Silicon, code signing is mandatory AFAIK.

wilco-h4h commented 1 day ago

Indeed, just tried it on the M1 of one of my collueges :-) Everything seems to work!
- © Githubissues.
- Githubissues is a development platform for aggregating issues.

wkasteleijn / luckystackworker

Version 6.0.0 doesn't run on Apple Silicon #10