Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

Adding notarization and entitlements for unsigned memory execution (backport from master) #2749

Merged
merged 2 commits into from
Feb 3, 2020

Conversation

jonsmorrow
Copy link
Contributor

@jonsmorrow jonsmorrow commented Feb 3, 2020

Description

Fixes all notarization issues

This changes makes the neccessary changes to enable the pkg to pass apples notarization requirements.

1. Update omnibus and omnibus-software to versions that support deep signing
2. Drop 'Developer ID Installer:' from signing key. This lets sigining pick up the correct key for what is being signed.
3. Add bin_dirs and lib_dirs to chefdk and git-custom-bindir software definitions so siging can find their binaries and libraries.
4. Add software definition for rb-fsevent-gem so we build the gem. This resolves an issue where the shipped binary is build on to old an sdk.
5. Patch rb-fsevent-gem build to work in our environment. Set minimum target to current os and discover the sdk version.
6. Add unsigned memory execution entitlement because ffi loads c code into memory in an unsigned way.

Signed-off-by: Jon Morrow jmorrow@chef.io

Related Issue

#2748

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@jonsmorrow jonsmorrow requested review from a team as code owners February 3, 2020 05:27
    This changes makes the neccessary changes to enable the pkg to pass apples notarization requirements.

    1. Update omnibus and omnibus-software to versions that support deep signing
    2. Drop 'Developer ID Installer:' from signing key. This lets sigining pick up the correct key for what is being signed.
    3. Add bin_dirs and lib_dirs to chefdk and git-custom-bindir software definitions so siging can find their binaries and libraries.
    4. Add software definition for rb-fsevent-gem so we build the gem. This resolves an issue where the shipped binary is build on to old an sdk.
    5. Patch rb-fsevent-gem build to work in our environment. Set minimum target to current os and discover the sdk version.

Signed-off-by: Jon Morrow <jmorrow@chef.io>
@jonsmorrow jonsmorrow force-pushed the jm/backport_entitlements_to_dk3 branch from 14e9172 to 7a5039b Compare February 3, 2020 06:37
@jonsmorrow jonsmorrow changed the title Adding entitlement for unsigned memory execution (backport from master) Adding notarization and entitlements for unsigned memory execution (backport from master) Feb 3, 2020
@jonsmorrow jonsmorrow force-pushed the jm/backport_entitlements_to_dk3 branch from 7a5039b to 19be23b Compare February 3, 2020 06:41
ffi loads c code into memory in an unsigned way and this allows dk
to work with the hardened runtime.

Signed-off-by: Jon Morrow <jmorrow@chef.io>
@jonsmorrow jonsmorrow force-pushed the jm/backport_entitlements_to_dk3 branch from 19be23b to e379571 Compare February 3, 2020 16:01
@tas50 tas50 merged commit 76443bc into chefdk-3 Feb 3, 2020
@chef-expeditor chef-expeditor bot deleted the jm/backport_entitlements_to_dk3 branch February 3, 2020 17:49
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants