Mono/macOS: Change .app packaging and codesign editor binary #24
Conversation
build-release.sh
Outdated
| cd ${osx_tmpdir} && \ | ||
| unzip ${binname}.zip && \ | ||
| codesign --deep --timestamp \ | ||
| --options=runtime --entitlements editor.entitlements \ |
There was a problem hiding this comment.
Is it the same entitlements file for both Mono and non-Mono editor use (one for camera and mic)? Mono probably will need some extra:
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>There was a problem hiding this comment.
Thanks, I added those for Mono.
akien-mga
force-pushed
the
macos-mono-codesign
branch
from
a93727c
to
b96c0c3
Compare
|
So I'm getting a I could use some help to test the current state and see what might still be off to properly sign the .app. Here's a current build from the https://downloads.tuxfamily.org/godotengine/testing/3.2.4.rc.mono-codesign_ready.zip It includes both the editor build and the templates unsigned, and it would be nice to see:
|
build-release.sh
Outdated
| request_uuid=$(echo ${request_uuid} | sed -e 's/.*RequestUUID = //') | ||
| ssh "${OSX_HOST}" "while xcrun altool --notarization-history 0 -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\" | grep -q ${request_uuid}.*in\ progress; do echo Waiting on Apple signature; sleep 30s; done" | ||
| if ! ssh "${OSX_HOST}" "xcrun altool --notarization-history 0 -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\" | grep -q ${request_uuid}.*success"; then | ||
| echo "Signing failed?" |
There was a problem hiding this comment.
Signing is working, but notarization is falling, script should get full details.
| echo "Signing failed?" | |
| notarization_log=$(ssh "${OSX_HOST}" "xcrun altool --notarization-info ${request_uuid} -u \"${APPLE_ID}\" -p \"${APPLE_ID_PASSWORD}\"") | |
| echo ${notarization_log} |
Output should have LogFileURL: with the link to full log.
There was a problem hiding this comment.
I was just looking into how to implement that, thanks :D
There was a problem hiding this comment.
Here's the log:
{
"logFormatVersion": 1,
"jobId": "305dfa5e-274d-4af3-87fc-c3ae100e5aab",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Godot_v3.2.4-rc_mono_osx.64_signed.zip",
"uploadDate": "2021-03-02T13:51:00Z",
"sha256": "de8ae2ff9323953f1f8b72acd9b4fcf8c68ac88bcd9ba747953a5bf68dd6788f",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Godot_v3.2.4-rc_mono_osx.64_signed.zip/Godot_mono.app/Contents/Resources/GodotSharp/Tools/aot-compilers/iphone-arm64/aarch64-apple-darwin-mono-sgen",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Godot_v3.2.4-rc_mono_osx.64_signed.zip/Godot_mono.app/Contents/Resources/GodotSharp/Tools/aot-compilers/iphone-arm64/aarch64-apple-darwin-mono-sgen",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Godot_v3.2.4-rc_mono_osx.64_signed.zip/Godot_mono.app/Contents/Resources/GodotSharp/Tools/aot-compilers/iphone-arm64/aarch64-apple-darwin-mono-sgen",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
}
]
}
There was a problem hiding this comment.
We do codesign --deep ... -v ${appname}/Contents/MacOS/Godot so maybe it actually doesn't go through the all .app. Would it work with codesign --deep ... -v ${appname}?
There was a problem hiding this comment.
Try singing aarch64-apple-darwin-mono-sgen with it's own codesign command, before signing the app (and do the same for 3 dylibs as well), --deep flag might be confused by complex folder structure.
There was a problem hiding this comment.
${appname}
Signing with ${appname} instead of ${appname}/Contents/MacOS/Godot also skips aarch64-apple-darwin-mono-sgen, so I guess signing each part individually is the only option. Since --deep is signing dylibs correctly, signing aarch64-apple-darwin-mono-sgen and then ${appname} with -deep should also work.
There was a problem hiding this comment.
Signing aarch64-apple-darwin-mono-sgen first then Godot seems to work!
akien-mga
force-pushed
the
macos-mono-codesign
branch
from
b96c0c3
to
eef8189
Compare
build-release.sh
Outdated
| for file in ${to_sign}; do \ | ||
| echo \"Signing \$file:\" && \ | ||
| codesign --deep --timestamp \ |
There was a problem hiding this comment.
@bruvzg I was lazy and used a for loop to sign both binaries so both use --deep, but it doesn't seem to be an issue.
|
Here's a new test build for the editor which is successfully signed and notarized: https://downloads.tuxfamily.org/godotengine/testing/3.2.4.rc.mono-codesigned-editor.zip |
akien-mga
force-pushed
the
macos-mono-codesign
branch
from
ecfe673
to
8777e54
Compare
|
Updated to match what was finally merged with godotengine/godot#43768. Editor build signed and notarized successfully with this script, still need confirmation that all is well with the export templates too. |
This allows signing the editor .app (will be done in next commit) and should let users sign their macOS exports. Co-authored-by: Shane Liesegang <shane@techie.net>
Using --deep to also sign the AOT cross-compilers.
akien-mga
force-pushed
the
macos-mono-codesign
branch
from
8777e54
to
c371cdd
Compare
Supersedes #13, thanks @sjml for the initial work and @neikeq for the buildsystem changes.
Requires godotengine/godot#43768 to be cherry-picking in
3.2to work.Marking as draft but it's ready for review, it's just until godotengine/godot#43768 is merged and cherry-picked and the resulting binaries are tested.