-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS Installer Requires Notarization To Be Run Under Catalina and Beyond #29216
Comments
Reading through Customizing the Notarization Workflow, it sounds like it'd be a major PITA to integrate with our release process. Thanks, Apple! |
I'm also facing the same problem. My package file bundle nodejs .PKG file. Now when I try to notarize my package file, apple rejects the package file saying it as invalid one. The below errors are coming in logs: /node-v8.11.3.pkg/node-v8.11.3.pkg Contents/Payload/usr/local/bin/node", |
These requirements do not apply to Homebrew, right? If Apple's processes prove too tricky, maybe we should make that the recommended installation method. |
Transferring responsibility for distribution to package managers is, indeed, one answer to a fundamental requirement of the modern computing landscape. |
I also ship an app that has Will the Node.js foundation ship a hardened (optionally also notarized) copy of Node.js soon, in time for the release of MacOS Catalina? |
Apple has announced that Catalina will be coming in October. It would be great to hear from the OpenJS Foundation to understand if they intend on notarizing the macOS Binary. |
perhaps we should just recommend people install via brew/n/nvm/etc, easier to upgrade that way anyway. |
@devsnek, unfortunately, that isn't an option for folks who ship a version of Node in their software as myself and multiple folks on this thread do. |
It's also relying on an assumption that Homebrew won't add the quarantine extended attribute that causes Gatekeeper to enforce signing/notarization requirements. Note that applications installed by Homebrew Cask do get the quarantine extended attribute. |
Yea and resigning / hardening the node binary also doesn't work. As node tries to validate the signature and terminates if it's signed with any other certificate |
sorry I don't know much about this packaging... Why can't you just bundle the node binary itself? |
Node binary terminates without providing any details as to why, when I try to codesign the binary with a different cert. |
Apple released macOS Catalina yesterday. Any updates regarding this issue? |
I have a patch which enabled hardened runtime, as soon as I can confirm if the full test suite passes I will create a PR |
Any update on it @gdams ? When can we start integrating it with our App? |
ATTN: @nodejs/build -- since I don't see a ping of them (us!) in here. |
Thanks @sam-github, this wasn't on my radar at all either. What a pain. It looks like we're going to have more integration work to do:
Figuring out that process will be an interesting task for someone. Any takers? The builds primarily go through the |
@rvagg so far I have the following patch that I have been testing: diff --git a/tools/osx-codesign.sh b/tools/osx-codesign.sh
index 6a954c737f..70403ab268 100644
--- a/tools/osx-codesign.sh
+++ b/tools/osx-codesign.sh
@@ -8,4 +8,4 @@ if [ "X$SIGN" == "X" ]; then
exit 0
fi
-codesign -s "$SIGN" "$PKGDIR"/bin/node
+codesign --sign "$SIGN" --entitlements tools/osx-entitlements.plist --options runtime --timestamp "$PKGDIR"/bin/node
\ No newline at end of file
diff --git a/tools/osx-entitlements.plist b/tools/osx-entitlements.plist
new file mode 100644
index 0000000000..9519157d71
--- /dev/null
+++ b/tools/osx-entitlements.plist
@@ -0,0 +1,16 @@
+ <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.cs.allow-jit</key>
+ <true/>
+ <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+ <true/>
+ <key>com.apple.security.cs.disable-executable-page-protection</key>
+ <true/>
+ <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+ <true/>
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+</dict>
+</plist>
\ No newline at end of file This will enable hardened runtime on the |
@gdams Didn't you say it also requires at least 10.13 OSX machine for the notorization? and the binary itself must be built with xcode 10 command line tools otherwise the notorization fails? |
@AshCripps yes that's correct you need a 10.13 machine with xcode 10 or above, I did some test builds and I was able to notarize a binary built on xcode 9 command line tools so maybe that requirement is slightly looser. |
Notarization isn't too bad -- the biggest issue is that it's an asynchronous process. Because of it, my workflow ends up having an intermediary staging step. Anyhow, the core commands to notarize are:
These commands can return xml which is reasonably parsable |
PR-URL: #31459 Refs: #29216 Refs: sindresorhus/macos-terminal-size#3 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Includes hardened-runtime patch from gdams from #29216 (comment) PR-URL: #31459 Refs: #29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
PR-URL: #31459 Refs: #29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
PR-URL: #31459 Refs: #29216 Refs: sindresorhus/macos-terminal-size#3 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Includes hardened-runtime patch from gdams from #29216 (comment) PR-URL: #31459 Refs: #29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
PR-URL: #31459 Refs: #29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
This has gone out in v13.12.0. We'll aim to get it in the next two LTS releases if there are no regressions reported |
PR-URL: nodejs#31459 Refs: nodejs#29216 Refs: sindresorhus/macos-terminal-size#3 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Includes hardened-runtime patch from gdams from nodejs#29216 (comment) PR-URL: nodejs#31459 Refs: nodejs#29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
PR-URL: nodejs#31459 Refs: nodejs#29216 Refs: sindresorhus/macos-terminal-size#3 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Includes hardened-runtime patch from gdams from nodejs#29216 (comment) PR-URL: nodejs#31459 Refs: nodejs#29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
PR-URL: nodejs#31459 Refs: nodejs#29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Backport-PR-URL: #32527 PR-URL: #31459 Refs: #29216 Refs: sindresorhus/macos-terminal-size#3 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Includes hardened-runtime patch from gdams from #29216 (comment) Backport-PR-URL: #32527 PR-URL: #31459 Refs: #29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Backport-PR-URL: #32527 PR-URL: #31459 Refs: #29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Backport-PR-URL: #32528 PR-URL: #31459 Refs: #29216 Refs: sindresorhus/macos-terminal-size#3 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
Includes hardened-runtime patch from gdams from #29216 (comment) Backport-PR-URL: #32528 PR-URL: #31459 Refs: #29216 Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ash Cripps <[email protected]> Signed-off-by: Rod Vagg <[email protected]>
This should be closed now, the latest 10.x and 12.x releases went out yesterday with notorization right? |
I'll leave this pinned for a few days for visibility. Node.js 10.20.0, 12.16.2 and 13.12.0 are all notarized. |
Catalina and beyond refuse to execute installer package (because of lack of notarization). It is possible to circumvent this but the procedure is not discoverable and shouldn't be expected of normal users.
It is unlikely even this current work-around will be permitted in future versions of macOS. The installer package should either conform to platform security requirements or be removed from the distributions list entirely.
The text was updated successfully, but these errors were encountered: