From d91b3edda05a2e7334fd7ab2dfa9538a31d09693 Mon Sep 17 00:00:00 2001 From: Jon Morrow Date: Mon, 18 Nov 2019 15:28:40 -0800 Subject: [PATCH 1/2] Fixes all notarization issues This changes makes the neccessary changes to enable the pkg to pass apples notarization requirements. 1. Update omnibus and omnibus-software to versions that support deep signing 2. Drop 'Developer ID Installer:' from signing key. This lets sigining pick up the correct key for what is being signed. 3. Add bin_dirs and lib_dirs to chefdk and git-custom-bindir software definitions so siging can find their binaries and libraries. 4. Add software definition for rb-fsevent-gem so we build the gem. This resolves an issue where the shipped binary is build on to old an sdk. 5. Patch rb-fsevent-gem build to work in our environment. Set minimum target to current os and discover the sdk version. Signed-off-by: Jon Morrow --- omnibus/config/patches/rb-fsevent-gem.patch | 24 +++++++++++++ omnibus/config/projects/chefdk.rb | 2 +- omnibus/config/software/chef-dk.rb | 5 +++ omnibus/config/software/git-custom-bindir.rb | 2 ++ omnibus/config/software/rb-fsevent-gem.rb | 36 ++++++++++++++++++++ 5 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 omnibus/config/patches/rb-fsevent-gem.patch create mode 100644 omnibus/config/software/rb-fsevent-gem.rb diff --git a/omnibus/config/patches/rb-fsevent-gem.patch b/omnibus/config/patches/rb-fsevent-gem.patch new file mode 100644 index 000000000..4af0638bf --- /dev/null +++ b/omnibus/config/patches/rb-fsevent-gem.patch @@ -0,0 +1,24 @@ +diff --git a/bin/fsevent_watch b/bin/fsevent_watch +index 889204f..17b894b 100755 +Binary files a/bin/fsevent_watch and b/bin/fsevent_watch differ +diff --git a/ext/rakefile.rb b/ext/rakefile.rb +index d7789bd..fd8ec36 100644 +--- a/ext/rakefile.rb ++++ b/ext/rakefile.rb +@@ -48,13 +48,13 @@ CLOBBER.include $final_exe.to_s + task :sw_vers do + $mac_product_version = `sw_vers -productVersion`.strip + $mac_build_version = `sw_vers -buildVersion`.strip +- $MACOSX_DEPLOYMENT_TARGET = ENV["MACOSX_DEPLOYMENT_TARGET"] || $mac_product_version.sub(/\.\d*$/, '') +- $CFLAGS = "#{$CFLAGS} -mmacosx-version-min=#{$MACOSX_DEPLOYMENT_TARGET}" ++ $MACOSX_MIN_TARGET = $mac_product_version.sub(/\.\d*$/, '') ++ $CFLAGS = "#{$CFLAGS} -mmacosx-version-min=#{$MACOSX_MIN_TARGET}" + end + + task :get_sdk_info => :sw_vers do + $SDK_INFO = {} +- version_info = `xcodebuild -version -sdk macosx#{$MACOSX_DEPLOYMENT_TARGET}` ++ version_info = `xcodebuild -version -sdk macosx` + raise "invalid SDK" unless !!$?.exitstatus + version_info.strip.each_line do |line| + next if line.strip.empty? diff --git a/omnibus/config/projects/chefdk.rb b/omnibus/config/projects/chefdk.rb index cc24d8d3d..6904eabe3 100644 --- a/omnibus/config/projects/chefdk.rb +++ b/omnibus/config/projects/chefdk.rb @@ -98,7 +98,7 @@ package :pkg do identifier "com.getchef.pkg.chefdk" - signing_identity "Developer ID Installer: Chef Software, Inc. (EU3VF8YLX2)" + signing_identity "Chef Software, Inc. (EU3VF8YLX2)" end package :msi do diff --git a/omnibus/config/software/chef-dk.rb b/omnibus/config/software/chef-dk.rb index c7d5808d0..ed61a546c 100644 --- a/omnibus/config/software/chef-dk.rb +++ b/omnibus/config/software/chef-dk.rb @@ -74,6 +74,11 @@ # for train dependency "google-protobuf" +# This is a transative dep but we need to build from source so binaries are built on current sdk. +# Only matters on mac. +# TODO: Contact gem mainter about getting new release. +dependency "rb-fsevent-gem" if mac_os_x? + build do env = with_standard_compiler_flags(with_embedded_path) diff --git a/omnibus/config/software/git-custom-bindir.rb b/omnibus/config/software/git-custom-bindir.rb index ebf9cc4e0..5108eac0e 100644 --- a/omnibus/config/software/git-custom-bindir.rb +++ b/omnibus/config/software/git-custom-bindir.rb @@ -41,6 +41,8 @@ source url: "https://www.kernel.org/pub/software/scm/git/git-#{version}.tar.gz" +bin_dirs ["#{install_dir}/gitbin", "#{install_dir}/embedded/libexec/git-core"] + build do env = with_standard_compiler_flags(with_embedded_path) diff --git a/omnibus/config/software/rb-fsevent-gem.rb b/omnibus/config/software/rb-fsevent-gem.rb new file mode 100644 index 000000000..6a046aa24 --- /dev/null +++ b/omnibus/config/software/rb-fsevent-gem.rb @@ -0,0 +1,36 @@ +# +# Copyright 2012-2014 Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name "rb-fsevent-gem" +default_version "master" + +source git: "https://github.com/thibaudgg/rb-fsevent.git" + +license "Apache-2.0" +license_file "https://raw.githubusercontent.com/thibaudgg/rb-fsevent/master/LICENSE.txt" + +dependency "ruby" + +build do + env = with_standard_compiler_flags(with_embedded_path) + # Look up active sdk version. + sdk_ver = `xcrun --sdk macosx --show-sdk-version`.strip + env["MACOSX_DEPLOYMENT_TARGET"] = sdk_ver + + bundle "install", env: env + bundle "exec rake replace_exe", env: env, cwd: "#{project_dir}/ext" + bundle "exec rake install:local", env: env +end From e379571b632d927e107e4aa17ec247ff414058a6 Mon Sep 17 00:00:00 2001 From: Jon Morrow Date: Sat, 1 Feb 2020 13:44:13 -0800 Subject: [PATCH 2/2] Adding entitlement for unsigned memory execution ffi loads c code into memory in an unsigned way and this allows dk to work with the hardened runtime. Signed-off-by: Jon Morrow --- omnibus/Gemfile.lock | 20 ++++++++++--------- .../resources/chefdk/pkg/entitlements.plist | 8 ++++++++ 2 files changed, 19 insertions(+), 9 deletions(-) create mode 100644 omnibus/resources/chefdk/pkg/entitlements.plist diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock index b6d6f5b32..89202dca4 100644 --- a/omnibus/Gemfile.lock +++ b/omnibus/Gemfile.lock @@ -8,10 +8,10 @@ GIT GIT remote: https://github.com/chef/omnibus.git - revision: d642ae6fd57f4a74846e325fecadebb132069894 + revision: 5baaf7a1d4ee66a9273e127c7e09ce0bb3b33d90 branch: master specs: - omnibus (7.0.1) + omnibus (7.0.2) aws-sdk-s3 (~> 1) chef-cleanroom (~> 1.0) chef-sugar (>= 3.3) @@ -32,7 +32,7 @@ GEM artifactory (3.0.12) awesome_print (1.8.0) aws-eventstream (1.0.3) - aws-partitions (1.268.0) + aws-partitions (1.269.0) aws-sdk-core (3.89.1) aws-eventstream (~> 1.0, >= 1.0.2) aws-partitions (~> 1, >= 1.239.0) @@ -166,9 +166,9 @@ GEM erubis (2.7.0) faraday (1.0.0) multipart-post (>= 1.2, < 3) - ffi (1.12.1) - ffi (1.12.1-x64-mingw32) - ffi (1.12.1-x86-mingw32) + ffi (1.12.2) + ffi (1.12.2-x64-mingw32) + ffi (1.12.2-x86-mingw32) ffi-libarchive (1.0.0) ffi (~> 1.0) ffi-win32-extensions (1.0.3) @@ -226,7 +226,7 @@ GEM mixlib-versioning (1.2.12) molinillo (0.6.6) multi_json (1.14.1) - multipart-post (2.0.0) + multipart-post (2.1.1) necromancer (0.5.1) net-scp (2.0.0) net-ssh (>= 2.6.5, < 6.0.0) @@ -257,17 +257,19 @@ GEM pastel (0.7.3) equatable (~> 0.6) tty-color (~> 0.5) - pedump (0.5.2) + pedump (0.5.4) awesome_print iostruct (>= 0.0.4) - multipart-post (~> 2.0.0) + multipart-post (>= 2.0.0) progressbar + rainbow zhexdump (>= 0.0.2) plist (3.5.0) progressbar (1.10.1) proxifier (1.0.3) public_suffix (4.0.3) rack (2.1.1) + rainbow (3.0.0) retryable (3.0.5) ruby-progressbar (1.10.1) rubyntlm (0.6.2) diff --git a/omnibus/resources/chefdk/pkg/entitlements.plist b/omnibus/resources/chefdk/pkg/entitlements.plist new file mode 100644 index 000000000..d6b93bc0b --- /dev/null +++ b/omnibus/resources/chefdk/pkg/entitlements.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.cs.allow-unsigned-executable-memory + + +