Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(bundler): codesign nested code on macos #8259

Merged
merged 7 commits into from
Dec 28, 2023
Merged

feat(bundler): codesign nested code on macos #8259

merged 7 commits into from
Dec 28, 2023

Conversation

pewsheen
Copy link
Contributor

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Docs
  • New Binding issue #___
  • Code style update
  • Refactor
  • Build-related changes
  • Other, please describe:

Does this PR introduce a breaking change?

  • Yes, and the changes were approved in issue #___
  • No

Checklist

  • When resolving issues, they are referenced in the PR's title (e.g fix: remove a typo, closes #___, #___)
  • A change file is added if any packages will require a version bump due to this PR per the instructions in the readme.
  • I have added a convincing reason for adding this feature, if necessary

Other information

Related: #8075 #8173

References:

Notes:

  • This patch does not cover all the cases but could be a start that we can sign nested code.
  • Only signs codes inside standard location (/MacOS, /Frameworks, /PlugIns, /XPCServices, /Helpers)
  • The risk of the patch is that if we are trying to sign something that is not signable, then the whole process will be stopped.
  • Successfully codesign and notarized the reproduced repo from [bug] Bundle fails on Apple Accelerate framework #8173 and the test.framework in tauri testing.

@pewsheen pewsheen requested a review from a team as a code owner November 20, 2023 06:08
@lucasfernog
Copy link
Member

I think we should take this one step forward and apply this logic to the whole .app bundle instead, so it also signs user resources and macOS custom files on v2.

@pewsheen
Copy link
Contributor Author

I think we should take this one step forward and apply this logic to the whole .app bundle instead, so it also signs user resources and macOS custom files on v2.

After doing some article search, I think I was just reimplementing the codesign --deep, which was deprecated for reasons.

Maybe we should take other approaches to sign those files, like providing a sign_files field in tauri.config.json and letting the user fill the path, entitlements, and is_executable while we can still auto codesign the files that generate from tauri itself.

@pewsheen pewsheen marked this pull request as draft November 21, 2023 03:40
@hjmallon hjmallon mentioned this pull request Dec 4, 2023
Merged
13 tasks
@hjmallon
Copy link

hjmallon commented Dec 4, 2023

I'm really interested in solving this issue (probably in 1.x branch since it is for a live project). Would we rather have code signing on macOS:

  1. Where the main app is automatically signed as currenlty, but all ofher files need a config line like @pewsheen says?
  2. Something that does a --deep equivalent on everything, which is not very fine grained as mentioned?
  3. Something that does a --deep equivalent on everuthing, but with a new config key for arguments for non standard parts?
  4. Something else?

@lucasfernog
Merge remote-tracking branch 'origin/1.x' into feat/codesign-r
1847d1b
@lucasfernog
typo
49d2290
@lucasfernog
also sign stuff in the Libraries folder
f3ef59d 
tested this for spacedrive, which has a bunch of dylib inside the libraries folder
@lucasfernog lucasfernog marked this pull request as ready for review December 28, 2023 16:54
@lucasfernog lucasfernog merged commit 8991129 into tauri-apps:1.x Dec 28, 2023
2 checks passed
@pewsheen pewsheen deleted the feat/codesign-r branch January 31, 2024 01:58
@raphaelmenges
Copy link

Maybe we should take other approaches to sign those files, like providing a sign_files field in tauri.config.json and letting the user fill the path, entitlements, and is_executable while we can still auto codesign the files that generate from tauri itself.

Perhaps I overlook it in the documentation, but I am facing this exact issue and you could point me out to such sign_files field - if it exists. I am bundling a .dylib with my application that must be signed alongside the Tauri binaries to pass the notarization. Right now, notarization fails with "The binary is not signed with a valid Developer ID certificate." for that .dylib.

Worst case I can code sign the .dylib manually, yet, I of course prefer a Tauri-based solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lucasfernog lucasfernog lucasfernog approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pewsheen @lucasfernog @hjmallon @raphaelmenges