-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS refuses to start node
when downloaded from the tarball
#3538
Comments
It seems that notarization is now necessary for the plain binary file. I haven't found any reference to that in the macOS release notes.
|
This affects all existing releases. |
Thanks for the research, @targos. I was not able to test it as I don't have an ARM Apple machine available that supports Sonoma. I can create a PR to try adding the tarball to the notarization following this discussion (https://developer.apple.com/forums/thread/651759) that recommends compressing it as a .zip file and checking if the tarball was properly notarized. |
Ah, this doesn't affect x64, only arm64 ? |
Do we want to make this notarization retroactively to all the affected binaries? I believe that the notarization process is independent from the distribution, so we can do a long running script that downloads the binaries and notarize them one by one. So in few hours/days we can potentially solve this. |
I didn't tested on Sonoma, but I can upgrade my machine and test it. I will ask in Slack if maybe someone can test it :) |
Before you upgrade your machine, can you confirm:
|
Is it possible to notarize without changing the contents of the binaries? |
node
when downloaded from the tarballnode
when downloaded from the tarball
I just tested the reproduction steps with macOS Ventura 13.5.2 and it also happens with that version. |
I'll defer to people more familiar with mac's but when we first had to do notarization we were unable to notarize the tarball: #2188 (comment)
|
This was in x64 |
I will create a PR to try notarize the tarballs |
I'm looking into some issues with Node and trusted execution and this page was helpful https://forums.developer.apple.com/forums/thread/706442 TLDR; curl/wget dont' set the quarantine bit but the browser does. The quarantine bit is makes the OS ask for permission on first run. It seems like if the quarantine bit isn't sit you can still run the executable but can run into issues down the line (I'm running into the equivalent of https://developer.apple.com/forums/thread/663456 with node binaries in a build tool) |
@UlisesGascon wondering if you'd gotten around to a PR, can't remember if I saw one go by or not. |
Not yet, I was focus on the 20.11.0 release. I plan to start working on this asap. |
I am actively working on this during the weekend. I will make an update asap 👍 |
Ok! I made some progress on the topic, but I will need help to really do all the tweaks needed in Jenkins. So, let me summarize a bit the changes. What I did?
Where I need support?I am having some issues to follow all the CI steps, so it will be nice to have a better understanding and potentially suggestions on how we can integrate this new process. The current release output for MacOS is composed by 5 binaries (see):
Today only What I am not sure about is how the pipeline and other scripts interact right now. As far as I can see from the logs, only the I would appreciate some guidance or a small pairing session (cc: @nodejs/build-infra) :-) |
The tarballs are there -- they're being uploaded via scp. It looks from the job output that the notarization script is complaining about ARCHTYPE? |
Also maybe you're not accounting for the pkg files not containing |
When I download that release into a arm mac running Sonoma 14.0 and then try to run
./bin/node
using the terminal I'm getting a security notice that you can check in the following imageOriginally posted by @mistic in #3385 (comment)
Repro:
cd ~/Downloads && tar xf node-v18.18.2-darwin-x64.tar.xz
./node-v18.18.2-darwin-x64/bin/node
The text was updated successfully, but these errors were encountered: