-
-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mono/macOS: Change .app packaging and codesign editor binary #24
Conversation
build-release.sh
Outdated
cd ${osx_tmpdir} && \ | ||
unzip ${binname}.zip && \ | ||
codesign --deep --timestamp \ | ||
--options=runtime --entitlements editor.entitlements \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it the same entitlements file for both Mono and non-Mono editor use (one for camera and mic)? Mono probably will need some extra:
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I added those for Mono.
a93727c
to
b96c0c3
Compare
So I'm getting a I could use some help to test the current state and see what might still be off to properly sign the .app. Here's a current build from the https://downloads.tuxfamily.org/godotengine/testing/3.2.4.rc.mono-codesign_ready.zip It includes both the editor build and the templates unsigned, and it would be nice to see:
|
build-release.sh
Outdated
request_uuid=$(echo ${request_uuid} | sed -e 's/.*RequestUUID = //') | ||
ssh "${OSX_HOST}" "while xcrun altool --notarization-history 0 -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\" | grep -q ${request_uuid}.*in\ progress; do echo Waiting on Apple signature; sleep 30s; done" | ||
if ! ssh "${OSX_HOST}" "xcrun altool --notarization-history 0 -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\" | grep -q ${request_uuid}.*success"; then | ||
echo "Signing failed?" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signing is working, but notarization is falling, script should get full details.
echo "Signing failed?" | |
notarization_log=$(ssh "${OSX_HOST}" "xcrun altool --notarization-info ${request_uuid} -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\"") | |
echo ${notarization_log} |
Output should have LogFileURL:
with the link to full log.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was just looking into how to implement that, thanks :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's the log:
{
"logFormatVersion": 1,
"jobId": "305dfa5e-274d-4af3-87fc-c3ae100e5aab",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Godot_v3.2.4-rc_mono_osx.64_signed.zip",
"uploadDate": "2021-03-02T13:51:00Z",
"sha256": "de8ae2ff9323953f1f8b72acd9b4fcf8c68ac88bcd9ba747953a5bf68dd6788f",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Godot_v3.2.4-rc_mono_osx.64_signed.zip/Godot_mono.app/Contents/Resources/GodotSharp/Tools/aot-compilers/iphone-arm64/aarch64-apple-darwin-mono-sgen",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Godot_v3.2.4-rc_mono_osx.64_signed.zip/Godot_mono.app/Contents/Resources/GodotSharp/Tools/aot-compilers/iphone-arm64/aarch64-apple-darwin-mono-sgen",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Godot_v3.2.4-rc_mono_osx.64_signed.zip/Godot_mono.app/Contents/Resources/GodotSharp/Tools/aot-compilers/iphone-arm64/aarch64-apple-darwin-mono-sgen",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
}
]
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do codesign --deep ... -v ${appname}/Contents/MacOS/Godot
so maybe it actually doesn't go through the all .app
. Would it work with codesign --deep ... -v ${appname}
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Try singing aarch64-apple-darwin-mono-sgen
with it's own codesign
command, before signing the app (and do the same for 3 dylibs
as well), --deep
flag might be confused by complex folder structure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
${appname}
Signing with ${appname}
instead of ${appname}/Contents/MacOS/Godot
also skips aarch64-apple-darwin-mono-sgen
, so I guess signing each part individually is the only option. Since --deep
is signing dylib
s correctly, signing aarch64-apple-darwin-mono-sgen
and then ${appname}
with -deep
should also work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signing aarch64-apple-darwin-mono-sgen
first then Godot
seems to work!
b96c0c3
to
eef8189
Compare
build-release.sh
Outdated
for file in ${to_sign}; do \ | ||
echo \"Signing \$file:\" && \ | ||
codesign --deep --timestamp \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bruvzg I was lazy and used a for
loop to sign both binaries so both use --deep
, but it doesn't seem to be an issue.
Here's a new test build for the editor which is successfully signed and notarized: https://downloads.tuxfamily.org/godotengine/testing/3.2.4.rc.mono-codesigned-editor.zip |
ecfe673
to
8777e54
Compare
Updated to match what was finally merged with godotengine/godot#43768. Editor build signed and notarized successfully with this script, still need confirmation that all is well with the export templates too. |
This allows signing the editor .app (will be done in next commit) and should let users sign their macOS exports. Co-authored-by: Shane Liesegang <shane@techie.net>
Using --deep to also sign the AOT cross-compilers.
8777e54
to
c371cdd
Compare
Supersedes #13, thanks @sjml for the initial work and @neikeq for the buildsystem changes.
Requires godotengine/godot#43768 to be cherry-picking in
3.2
to work.Marking as draft but it's ready for review, it's just until godotengine/godot#43768 is merged and cherry-picked and the resulting binaries are tested.