[opensource-dev] macOS Catalina notarization

[Tonya Souther]

Apple has tightened up their criteria for notarizing apps. For those of you
not familiar with the issue, the current version of macOS, 10.15 Catalina,
makes the user jump through some scary hoops to run an application they've
downloaded unless it's been notarized - signed with an Apple Developer ID
key and then checked by Apple.

When Catalina first came out, Apple relaxed several requirements for
notarization Their announcement is at
https://developer.apple.com/news/?id=09032019a . Those changes have now
been reversed, and all of the requirements they list have been met.

I've spent the morning making viewer-manifest.py sign everything that's
needed signing (apparently codesign --deep --force doesn't do that job any
more). Unfortunately, there's still one major problem: there are 309
libraries that were built with an SDK older than 10.9. As Apple's notice
says, that will cause notarization to be rejected.

305 of those libraries are in llplugin, and five are in the SLvoice for
OpenSim. I don't expect that LL has anything to do with the latter, but the
former is the much bigger problem. Is the llplugin directory still needed?
If so, is there a good way to rebuild the lot?
___
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting privileges

Re: [opensource-dev] macOS Catalina notarization

[Henri Beauchamp]

On Sat, 29 Feb 2020 10:33:52 -0600, Tonya Souther wrote:

> 305 of those libraries are in llplugin, and five are in the SLvoice
> for OpenSim. I don't expect that LL has anything to do with the
> latter, but the former is the much bigger problem. Is the llplugin
> directory still needed?

My bet is that those 305 non-signed libraries are in fact VLC's ones...

One more reason not to use VLC and to use gstreamer instead: the user
may install gstreamer separately on their system (with the proper
signing by the gstreamer upstream provider), and you won't need to
bundle a shitload of libraries with each binary package of your viewer.

Henri.
___
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting privileges

Re: [opensource-dev] macOS Catalina notarization

[Tonya Souther]

I've now built a VLC 3.0.8 package, and it at least allows the app to be
notarized. Haven't wrung it ot yet; not sure I know how, but our beta
testers will, I'm sure, let me know if it's screwed up.

On Sat, Feb 29, 2020 at 12:18 PM Henri Beauchamp  wrote:

> On Sat, 29 Feb 2020 10:33:52 -0600, Tonya Souther wrote:
>
> > 305 of those libraries are in llplugin, and five are in the SLvoice
> > for OpenSim. I don't expect that LL has anything to do with the
> > latter, but the former is the much bigger problem. Is the llplugin
> > directory still needed?
>
> My bet is that those 305 non-signed libraries are in fact VLC's ones...
>
> One more reason not to use VLC and to use gstreamer instead: the user
> may install gstreamer separately on their system (with the proper
> signing by the gstreamer upstream provider), and you won't need to
> bundle a shitload of libraries with each binary package of your viewer.
>
> Henri.
> ___
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/OpenSource-Dev
> Please read the policies before posting to keep unmoderated posting
> privileges
>
___
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting privileges

Re: [opensource-dev] macOS Catalina notarization

[Geir Nøklebye]

It is not only that you have unsigned libraries, but there are two other issues:

1. The Chromium Framework is not correctly structured, but must have the 
structure  described in 
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/FrameworkAnatomy.html
 

 to be properly signed for notarization.

2. The plugins must be signed with --options runtime or the notarization 
request comes back with the error status "The executable does not have the 
hardened runtime enabled."

...and you can sign it with that option - which will let the viewer be 
notarized, as I managed to do once before February 3 and they tightened the 
rules. 

The problem is then that the plugin (particularly the SL Plugin) does not 
communicate with the main application at all as they are both executing in 
their own sandboxes. 

I have an open issue with Apple Developer support on notarization, but the only 
thing they say are: build in Xcode, sign properly and enable hardened runtime 
on everything. They cannot provide any support for building with third party 
systems like cmake etc. 



___
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting privileges

Re: [opensource-dev] macOS Catalina notarization

[Geir Nøklebye]

When it comes to deployment target, I see that in 
https://bitbucket.org/lindenlab/build-variables/src/master/variables 


which I suppose is the latest build variables used, you build with  deployment 
target of 10.7 and with the 10.11 SDK??!

LL_BUILD_DARWIN_BASE_SWITCHES="-fPIC -gdwarf-2 -stdlib=libc++ 
-mmacosx-version-min=10.7 -iwithsysroot 
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/"

What gives? - You should not build with a deployment target of anything less 
than 10.12 for multiple reasons, the most important that Apple in 10.12.6 
finally fixed an issue that was introduced in 10.11 that made the macOS version 
of the viewer crash constantly.  

Running the viewer on anything pre 10.12 is at this time pointless because 
every Apple system that can run 10.10 can also run 10.12, and 10.10 is out of 
support in the same manner as Windows 7 is out of support. 

If you build with Xcode 11.3 on Catalina you should build with the 10.15 SDK, 
or if on Xcode 10.3 on 10.14 with the 10.14 SDK. 

I assume the libs are built with the same target and even older SDKs (have not 
checked all of them).


___
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting privileges

Re: [opensource-dev] macOS Catalina notarization

[Tonya Souther]

I was able to get a successful notarization. I did not have to do anything
to CEF to get it to fly, though I did have to use the --options runtime
flag. We'll see what testing reveals as the effect of that.

That they tightened down things as of the beginning of February explains
why the notarization I ran on January 15 worked but ones this week didn't.

On Sat, Feb 29, 2020 at 2:52 PM Geir Nøklebye 
wrote:

> It is not only that you have unsigned libraries, but there are two other
> issues:
>
> 1. The Chromium Framework is not correctly structured, but must have the
> structure  described in
> https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/FrameworkAnatomy.html
>  to
> be properly signed for notarization.
>
> 2. The plugins must be signed with --options runtime or the notarization
> request comes back with the error status "The executable does not have
> the hardened runtime enabled."
>
> ...and you can sign it with that option - which will let the viewer be
> notarized, as I managed to do once before February 3 and they tightened the
> rules.
>
> The problem is then that the plugin (particularly the SL Plugin) does not
> communicate with the main application at all as they are both executing in
> their own sandboxes.
>
> I have an open issue with Apple Developer support on notarization, but the
> only thing they say are: build in Xcode, sign properly and enable hardened
> runtime on everything. They cannot provide any support for building with
> third party systems like cmake etc.
>
>
>
> ___
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/OpenSource-Dev
> Please read the policies before posting to keep unmoderated posting
> privileges
___
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting privileges