Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macOS Installer Requires Notarization To Be Run Under Catalina and Beyond #29216

Closed
enquora opened this issue Aug 20, 2019 · 43 comments
Closed
Labels
build Issues and PRs related to build files or the CI. install Issues and PRs related to the installers. macos Issues and PRs related to the macOS platform / OSX.

Comments

@enquora
Copy link

enquora commented Aug 20, 2019

Catalina and beyond refuse to execute installer package (because of lack of notarization). It is possible to circumvent this but the procedure is not discoverable and shouldn't be expected of normal users.

It is unlikely even this current work-around will be permitted in future versions of macOS. The installer package should either conform to platform security requirements or be removed from the distributions list entirely.

@targos
Copy link
Member

targos commented Aug 20, 2019

@bnoordhuis bnoordhuis added install Issues and PRs related to the installers. macos Issues and PRs related to the macOS platform / OSX. labels Aug 20, 2019
@bnoordhuis
Copy link
Member

Reading through Customizing the Notarization Workflow, it sounds like it'd be a major PITA to integrate with our release process. Thanks, Apple!

@MajuMadhusudanan
Copy link

I'm also facing the same problem. My package file bundle nodejs .PKG file. Now when I try to notarize my package file, apple rejects the package file saying it as invalid one. The below errors are coming in logs:

/node-v8.11.3.pkg/node-v8.11.3.pkg Contents/Payload/usr/local/bin/node",
"message": "The signature algorithm used is too weak.",

@silverwind
Copy link
Contributor

silverwind commented Aug 21, 2019

These requirements do not apply to Homebrew, right? If Apple's processes prove too tricky, maybe we should make that the recommended installation method.

@enquora
Copy link
Author

enquora commented Aug 21, 2019

Transferring responsibility for distribution to package managers is, indeed, one answer to a fundamental requirement of the modern computing landscape.

@duncanmak
Copy link

I also ship an app that has node bundled inside the app bundle, depending on Homebrew is not a viable solution for me.

Will the Node.js foundation ship a hardened (optionally also notarized) copy of Node.js soon, in time for the release of MacOS Catalina?

@tylersmalley
Copy link

Apple has announced that Catalina will be coming in October. It would be great to hear from the OpenJS Foundation to understand if they intend on notarizing the macOS Binary.

@devsnek
Copy link
Member

devsnek commented Sep 11, 2019

perhaps we should just recommend people install via brew/n/nvm/etc, easier to upgrade that way anyway.

@tylersmalley
Copy link

@devsnek, unfortunately, that isn't an option for folks who ship a version of Node in their software as myself and multiple folks on this thread do.

@jasontedor
Copy link

It's also relying on an assumption that Homebrew won't add the quarantine extended attribute that causes Gatekeeper to enforce signing/notarization requirements. Note that applications installed by Homebrew Cask do get the quarantine extended attribute.

@somu84
Copy link

somu84 commented Sep 11, 2019

Yea and resigning / hardening the node binary also doesn't work. As node tries to validate the signature and terminates if it's signed with any other certificate

@devsnek
Copy link
Member

devsnek commented Sep 11, 2019

sorry I don't know much about this packaging... Why can't you just bundle the node binary itself?

@somu84
Copy link

somu84 commented Sep 11, 2019

Node binary terminates without providing any details as to why, when I try to codesign the binary with a different cert.

@MajuMadhusudanan
Copy link

Apple released macOS Catalina yesterday. Any updates regarding this issue?

@duncanmak
Copy link

I think @gdams is working on a PR to fix this.

@gdams how goes it?

@gdams
Copy link
Member

gdams commented Oct 16, 2019

I have a patch which enabled hardened runtime, as soon as I can confirm if the full test suite passes I will create a PR

@faijaz
Copy link

faijaz commented Oct 23, 2019

I have a patch which enabled hardened runtime, as soon as I can confirm if the full test suite passes I will create a PR

Any update on it @gdams ? When can we start integrating it with our App?

@sam-github
Copy link
Contributor

ATTN: @nodejs/build -- since I don't see a ping of them (us!) in here.

@rvagg
Copy link
Member

rvagg commented Oct 28, 2019

Thanks @sam-github, this wasn't on my radar at all either. What a pain. It looks like we're going to have more integration work to do:

If you use an automated build system, you can integrate the notarization process into your existing build scripts. The altool and stapler command-line tools (included with Xcode) allow you to upload your software to the Apple notary service, and to staple the resulting ticket to your executable.

Figuring out that process will be an interesting task for someone. Any takers? The builds primarily go through the $(BINARYTAR) and $(PKG) build targets in Makefile. In there references to tools/osx-codesign.sh and tools/osx-productsign.sh. We'll need to extend those or add new steps to make this happen.

@gdams
Copy link
Member

gdams commented Oct 28, 2019

@rvagg so far I have the following patch that I have been testing:

diff --git a/tools/osx-codesign.sh b/tools/osx-codesign.sh
index 6a954c737f..70403ab268 100644
--- a/tools/osx-codesign.sh
+++ b/tools/osx-codesign.sh
@@ -8,4 +8,4 @@ if [ "X$SIGN" == "X" ]; then
   exit 0
 fi
 
-codesign -s "$SIGN" "$PKGDIR"/bin/node
+codesign --sign "$SIGN" --entitlements tools/osx-entitlements.plist --options runtime --timestamp "$PKGDIR"/bin/node
\ No newline at end of file
diff --git a/tools/osx-entitlements.plist b/tools/osx-entitlements.plist
new file mode 100644
index 0000000000..9519157d71
--- /dev/null
+++ b/tools/osx-entitlements.plist
@@ -0,0 +1,16 @@
+  <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>
\ No newline at end of file

This will enable hardened runtime on the node binary which is the main requirement going forwards. In the OpenJDK world I have then been using electron-notarize-cli to notarize the pkg installer. The main issue going forwards is that the notarization has to be done on a mac with a full blown xcode 10 or 11 installation (not xcode build tools) as it requires the xcrun command. I'm more than happy to walk people through what I've done in the OpenJDK world so far if that helps?

@AshCripps
Copy link
Member

@gdams Didn't you say it also requires at least 10.13 OSX machine for the notorization? and the binary itself must be built with xcode 10 command line tools otherwise the notorization fails?

@gdams
Copy link
Member

gdams commented Oct 28, 2019

@AshCripps yes that's correct you need a 10.13 machine with xcode 10 or above, I did some test builds and I was able to notarize a binary built on xcode 9 command line tools so maybe that requirement is slightly looser.

@sam-github sam-github added build Issues and PRs related to build files or the CI. tsc-agenda Issues and PRs to discuss during the meetings of the TSC. labels Oct 28, 2019
@directionless
Copy link

directionless commented Oct 30, 2019

Notarization isn't too bad -- the biggest issue is that it's an asynchronous process. Because of it, my workflow ends up having an intermediary staging step.

Anyhow, the core commands to notarize are:

xcrun altool --username $APPLEID --password @env:N_PASS --asc-provider $TEAMID --notarize-app --file $FILE  --primary-bundle-id $BUNDLEID

xcrun altool --username $APPLEID --password @env:N_PASS --asc-provider $TEAMID  --notarization-info $REQUEST_GUUID 

staple $FILE

These commands can return xml which is reasonably parsable

MylesBorins pushed a commit that referenced this issue Mar 24, 2020
PR-URL: #31459
Refs: #29216
Refs: sindresorhus/macos-terminal-size#3
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Mar 24, 2020
Includes hardened-runtime patch from gdams from
#29216 (comment)

PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Mar 24, 2020
PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Mar 24, 2020
PR-URL: #31459
Refs: #29216
Refs: sindresorhus/macos-terminal-size#3
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Mar 24, 2020
Includes hardened-runtime patch from gdams from
#29216 (comment)

PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Mar 24, 2020
PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
@MylesBorins
Copy link
Contributor

This has gone out in v13.12.0.

We'll aim to get it in the next two LTS releases if there are no regressions reported

MylesBorins pushed a commit to MylesBorins/node that referenced this issue Mar 28, 2020
PR-URL: nodejs#31459
Refs: nodejs#29216
Refs: sindresorhus/macos-terminal-size#3
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit to MylesBorins/node that referenced this issue Mar 28, 2020
Includes hardened-runtime patch from gdams from
nodejs#29216 (comment)

PR-URL: nodejs#31459
Refs: nodejs#29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit to MylesBorins/node that referenced this issue Apr 1, 2020
PR-URL: nodejs#31459
Refs: nodejs#29216
Refs: sindresorhus/macos-terminal-size#3
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit to MylesBorins/node that referenced this issue Apr 1, 2020
Includes hardened-runtime patch from gdams from
nodejs#29216 (comment)

PR-URL: nodejs#31459
Refs: nodejs#29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit to MylesBorins/node that referenced this issue Apr 1, 2020
PR-URL: nodejs#31459
Refs: nodejs#29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Apr 1, 2020
Backport-PR-URL: #32527
PR-URL: #31459
Refs: #29216
Refs: sindresorhus/macos-terminal-size#3
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Apr 1, 2020
Includes hardened-runtime patch from gdams from
#29216 (comment)

Backport-PR-URL: #32527
PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Apr 1, 2020
Backport-PR-URL: #32527
PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Apr 2, 2020
Backport-PR-URL: #32528
PR-URL: #31459
Refs: #29216
Refs: sindresorhus/macos-terminal-size#3
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
MylesBorins pushed a commit that referenced this issue Apr 2, 2020
Includes hardened-runtime patch from gdams from
#29216 (comment)

Backport-PR-URL: #32528
PR-URL: #31459
Refs: #29216
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ash Cripps <[email protected]>
Signed-off-by: Rod Vagg <[email protected]>
@AshCripps
Copy link
Member

This should be closed now, the latest 10.x and 12.x releases went out yesterday with notorization right?

@richardlau
Copy link
Member

I'll leave this pinned for a few days for visibility. Node.js 10.20.0, 12.16.2 and 13.12.0 are all notarized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI. install Issues and PRs related to the installers. macos Issues and PRs related to the macOS platform / OSX.
Projects
None yet
Development

No branches or pull requests