subject:"Codesign broken in 10.11.4"

Re: Codesign broken in 10.11.4

2016-04-07 Thread Glenn L. Austin


> On Apr 7, 2016, at 9:25 AM, Trygve Inda  wrote:
> 
>> This may be relevant, though it does talk about issues with pref panes as
>> well.
>> 
>> http://mjtsai.com/blog/2016/03/31/gatekeeper-bug-in-mac-os-x-10-11-4/
> 
> Yup. That sums it up.
> 
> The short story: tested with a default Xcode command line tool that says
> "Hello World".
> 
> 1) Build a command line tool on 10.11.3 and sign it with my Developer ID.
> Everything is fine.
> 
> 2) Test it on 10.11.4 and spctl gives me an "obsolete resource envelope"
> error.
> 
> This bug is preventing the release of a major new version of our product.

You did know that Apple updated codesigning in a way that was 
backwards-compatible, but not forwards compatible?


-- 
Glenn L. Austin, Computer Wizard and Race Car Driver <><



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Codesign broken in 10.11.4

2016-04-07 Thread Jim Adams

Could this be relevant to the changes in Xcode for iOS library development 
where you have to us archive instead of build to get the correct architectures 
in your bundle?

> On Apr 7, 2016, at 12:25 PM, Trygve Inda  wrote:
> 
>> This may be relevant, though it does talk about issues with pref panes as
>> well.
>> 
>> http://mjtsai.com/blog/2016/03/31/gatekeeper-bug-in-mac-os-x-10-11-4/
> 
> Yup. That sums it up.
> 
> The short story: tested with a default Xcode command line tool that says
> "Hello World".
> 
> 1) Build a command line tool on 10.11.3 and sign it with my Developer ID.
> Everything is fine.
> 
> 2) Test it on 10.11.4 and spctl gives me an "obsolete resource envelope"
> error.
> 
> This bug is preventing the release of a major new version of our product.
> 
> :(
> 
> Trygve
> 
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/jim.adams%40sas.com
> 
> This email sent to jim.ad...@sas.com


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Codesign broken in 10.11.4

2016-04-07 Thread Trygve Inda

> This may be relevant, though it does talk about issues with pref panes as
> well.
> 
> http://mjtsai.com/blog/2016/03/31/gatekeeper-bug-in-mac-os-x-10-11-4/

Yup. That sums it up.

The short story: tested with a default Xcode command line tool that says
"Hello World".
 
1) Build a command line tool on 10.11.3 and sign it with my Developer ID.
Everything is fine.

2) Test it on 10.11.4 and spctl gives me an "obsolete resource envelope"
error.

This bug is preventing the release of a major new version of our product.

:(

Trygve



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Codesign broken in 10.11.4

2016-04-07 Thread Kevin Meaney

This may be relevant, though it does talk about issues with pref panes as well.

http://mjtsai.com/blog/2016/03/31/gatekeeper-bug-in-mac-os-x-10-11-4/

> On 7 Apr 2016, at 15:13, Trygve Inda  wrote:
> 
> My app is built on 10.11.3. It is a prefPane with one command line tool and
> three app bundles (four helper tools) in it's bundle. I am getting
> GateKeeper warnings on 10.11.4 systems, but not on anything else.
> 
> It is manually codesigned with my Developer ID... first the helper tool
> frameworks, then the helper tools themselves and then the prefPane. So
> everything is signed from the inside-out.
> 
> In terminal (on two different machines running 10.11.3) I get:
> 
> spctl -a -t exec -vv My.prefPane
> 
>  /Volumes/Path/To//My.prefPane: accepted
>  source=Developer ID
>  origin=Developer ID Application: My Company, Inc.
> 
> codesign --verbose=4 --deep --strict My.prefPane
> 
>  /Volumes/Path/To//My.prefPane: valid on disk
>  /Volumes/Path/To//My.prefPane: satisfies its Designated Requirement
> 
> 
> In terminal (on two different machines running 10.11.4) I get:
> 
> spctl -a -t exec -vv My.prefPane
> 
>  /Volumes/Path/To//My.prefPane: rejected
>  source=obsolete resource envelope
>  origin=Developer ID Application: My Company, Inc.
> 
> codesign --verbose=4 --deep --strict My.prefPane
> 
>  /Volumes/Path/To//My.prefPane: valid on disk
>  /Volumes/Path/To//My.prefPane: satisfies its Designated Requirement
> 
> 
> The codesign command is taken directly from what Xcode uses:
> 
> codesign --force --sign "Developer ID Application: My Company, Inc."
> --requirements "=designated => anchor apple generic and identifier
> \"com.mycompany.myproduct.helper\" and ((cert
> leaf[field.1.2.840.113635.100.6.1.9] exists) or (certificate
> 1[field.1.2.840.113635.100.6.2.6] exists and certificate
> leaf[field.1.2.840.113635.100.6.1.13] exists and certificate
> leaf[subject.OU] = \"MYAPPLE123\"))" --timestamp=none
> "$BASEPATH/My.prefPane/Contents/Resources/MyHelper.app"
> 
> 
> When I run the above spctl terminal command on the helpers within the bundle
> on 10.11.4, the three helper app bundles are accepted but the command line
> tool is rejected with "obsolete resource envelope".
> 
> If I copy that command line tool to a 10.11.3 system and run spctl, it is
> accepted.
> 
> I have spent more than a day on this and am at a loss as to what is
> happening.
> 
> Any ideas?
> 
> 
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/ktam%40yvs.eu.com
> 
> This email sent to k...@yvs.eu.com


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Codesign broken in 10.11.4

2016-04-07 Thread John Pannell

I've seen quite a bit on my newsfeed regarding this...

http://mjtsai.com/blog/2016/03/31/gatekeeper-bug-in-mac-os-x-10-11-4/
https://www.noodlesoft.com/blog/2016/04/05/hazel-3-3-8-getting-past-the-gates/
https://forums.developer.apple.com/message/81349#81349

Haven't seen any workarounds yet - hope this helps!

John

On Thu, Apr 7, 2016, at 08:13 AM, Trygve Inda wrote:
> My app is built on 10.11.3. It is a prefPane with one command line tool
> and
> three app bundles (four helper tools) in it's bundle. I am getting
> GateKeeper warnings on 10.11.4 systems, but not on anything else.
> 
> It is manually codesigned with my Developer ID... first the helper tool
> frameworks, then the helper tools themselves and then the prefPane. So
> everything is signed from the inside-out.
> 
> In terminal (on two different machines running 10.11.3) I get:
> 
> spctl -a -t exec -vv My.prefPane
> 
>/Volumes/Path/To//My.prefPane: accepted
>source=Developer ID
>origin=Developer ID Application: My Company, Inc.
> 
> codesign --verbose=4 --deep --strict My.prefPane
> 
>/Volumes/Path/To//My.prefPane: valid on disk
>/Volumes/Path/To//My.prefPane: satisfies its Designated Requirement
> 
> 
> In terminal (on two different machines running 10.11.4) I get:
> 
> spctl -a -t exec -vv My.prefPane
> 
>/Volumes/Path/To//My.prefPane: rejected
>source=obsolete resource envelope
>origin=Developer ID Application: My Company, Inc.
> 
> codesign --verbose=4 --deep --strict My.prefPane
> 
>/Volumes/Path/To//My.prefPane: valid on disk
>/Volumes/Path/To//My.prefPane: satisfies its Designated Requirement
> 
> 
> The codesign command is taken directly from what Xcode uses:
> 
> codesign --force --sign "Developer ID Application: My Company, Inc."
> --requirements "=designated => anchor apple generic and identifier
> \"com.mycompany.myproduct.helper\" and ((cert
> leaf[field.1.2.840.113635.100.6.1.9] exists) or (certificate
> 1[field.1.2.840.113635.100.6.2.6] exists and certificate
> leaf[field.1.2.840.113635.100.6.1.13] exists and certificate
> leaf[subject.OU] = \"MYAPPLE123\"))" --timestamp=none
> "$BASEPATH/My.prefPane/Contents/Resources/MyHelper.app"
> 
> 
> When I run the above spctl terminal command on the helpers within the
> bundle
> on 10.11.4, the three helper app bundles are accepted but the command
> line
> tool is rejected with "obsolete resource envelope".
> 
> If I copy that command line tool to a 10.11.3 system and run spctl, it is
> accepted.
> 
> I have spent more than a day on this and am at a loss as to what is
> happening.
> 
> Any ideas?
> 
> 
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/johnp%2Blists%40peach.io
> 
> This email sent to johnp+li...@peach.io
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Codesign broken in 10.11.4

2016-04-07 Thread Trygve Inda

My app is built on 10.11.3. It is a prefPane with one command line tool and
three app bundles (four helper tools) in it's bundle. I am getting
GateKeeper warnings on 10.11.4 systems, but not on anything else.

It is manually codesigned with my Developer ID... first the helper tool
frameworks, then the helper tools themselves and then the prefPane. So
everything is signed from the inside-out.

In terminal (on two different machines running 10.11.3) I get:

spctl -a -t exec -vv My.prefPane

   /Volumes/Path/To//My.prefPane: accepted
   source=Developer ID
   origin=Developer ID Application: My Company, Inc.

codesign --verbose=4 --deep --strict My.prefPane

   /Volumes/Path/To//My.prefPane: valid on disk
   /Volumes/Path/To//My.prefPane: satisfies its Designated Requirement


In terminal (on two different machines running 10.11.4) I get:

spctl -a -t exec -vv My.prefPane

   /Volumes/Path/To//My.prefPane: rejected
   source=obsolete resource envelope
   origin=Developer ID Application: My Company, Inc.

codesign --verbose=4 --deep --strict My.prefPane

   /Volumes/Path/To//My.prefPane: valid on disk
   /Volumes/Path/To//My.prefPane: satisfies its Designated Requirement


The codesign command is taken directly from what Xcode uses:

codesign --force --sign "Developer ID Application: My Company, Inc."
--requirements "=designated => anchor apple generic and identifier
\"com.mycompany.myproduct.helper\" and ((cert
leaf[field.1.2.840.113635.100.6.1.9] exists) or (certificate
1[field.1.2.840.113635.100.6.2.6] exists and certificate
leaf[field.1.2.840.113635.100.6.1.13] exists and certificate
leaf[subject.OU] = \"MYAPPLE123\"))" --timestamp=none
"$BASEPATH/My.prefPane/Contents/Resources/MyHelper.app"


When I run the above spctl terminal command on the helpers within the bundle
on 10.11.4, the three helper app bundles are accepted but the command line
tool is rejected with "obsolete resource envelope".

If I copy that command line tool to a 10.11.3 system and run spctl, it is
accepted.

I have spent more than a day on this and am at a loss as to what is
happening.

Any ideas?




___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Codesign broken in 10.11.4

Re: Codesign broken in 10.11.4

Re: Codesign broken in 10.11.4

Re: Codesign broken in 10.11.4

Re: Codesign broken in 10.11.4

Codesign broken in 10.11.4

6 matches

Site Navigation

Mail list logo

Footer information