specter-desktop
specter-desktop copied to clipboard
cryptoadvance
Mac signature no longer accepted
Starting the signed binary like this:
(.env) ➜ specter-desktop git:(kn/mac_signing) ✗ ./pyinstaller/electron/dist/mac-arm64/Specter.app/Contents/MacOS/Specter
[1] 45152 killed ./pyinstaller/electron/dist/mac-arm64/Specter.app/Contents/MacOS/Specter
(.env) ➜ specter-desktop git:(kn/mac_signing) ✗
So the executable will get killed immediately and you'll see something like this in the logs:
Disallowing solutions.specter.desktop because no eligible provisioning profiles found
It seems that we need a provisioning profile. However, Apple is not mentioning that at it's documentation. There, only signing and notarizing is mentioned.
validating signatures
Is the signature of that binary even valid? A prerequisite for notarizing is that you sign your software with your developer key.
The signature can be checked like this:
➜ specter-desktop git:(kn/mac_signing) ✗ pkgutil --check-signature ./pyinstaller/electron/dist/mac-arm64/Specter.app
Package "Specter":
Status: signed by a certificate trusted by macOS
Certificate Chain:
1. Developer ID Application: Kim Neunert (FWV59JHV83)
Expires: 2026-09-11 11:59:39 +0000
SHA256 Fingerprint:
06 C7 63 8C 92 5B DD 60 79 8C B1 B0 30 8D B7 98 2C 99 8E F3 33 87
A0 BD 03 1B 35 C5 3D 53 3C 3D
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
➜ specter-desktop git:(kn/mac_signing) ✗
Validating notarisation status
Is the software properly notarised?
yes, i think so:
➜ specter-desktop git:(kn/mac_signing) ✗ spctl --assess --verbose --type execute ./pyinstaller/electron/dist/mac-arm64/Specter.app
./pyinstaller/electron/dist/mac-arm64/Specter.app: accepted
source=Notarized Developer ID
➜ specter-desktop git:(kn/mac_signing) ✗
additional context and further references:
- https://developer.apple.com/videos/play/wwdc2019/703/ (30 min video "all about notarisation")
Did it ever worked?
Yes, it did. The original notarisation-process was built on "altool". However, for some reason, binaries which got signed with that process started to crash.
After installing it and starting it, it results in:
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Incident Identifier: 098A5E69-E3A3-4FAC-BB70-4A85FD2E9C36
CrashReporter Key: 0ECE6060-D469-9FCA-090A-DFE686CA0C88
Hardware Model: Mac14,9
Process: Specter [25891]
Path: /Applications/Specter.app/Contents/MacOS/Specter
Identifier: solutions.specter.desktop
Version: 2.0.2-pre4 (2.0.2-pre4)
Code Type: X86-64 (Native)
Role: Default
Parent Process: launchd [1]
Coalition: solutions.specter.desktop [58761]
Date/Time: 2023-06-28 13:57:30.0009 +0200
Launch Time: 2023-06-28 13:57:29.6777 +0200
OS Version: macOS 13.4 (22F66)
Release Type: User
Report Version: 104
Exception Type: EXC_CR
However at the time of signing, i got this jso-result back:
{
"tool-version": "4.029.1194",
"tool-path": "/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework",
"success-message": "No errors getting notarization info.",
"notarization-info": {
"Status": "success",
"Status Message": "Package Approved",
"LogFileURL": "https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma116/v4/cc/ad/78/ccad781b-b1c4-7e4e-5f47-b2644f10e033/developer_log.json?accessKey=1688143920_4653658224769771469_dq5gv5qwSSLx%2F2%2Ft%2Bm946O%2B8jMVwX6msaTG2K83jgC4Mq%2BV%2FMw4m1F8FWhIPW%2FaO74vciaNYHdFf4XrawBdbU3GdmInRzdnqiIr%2BVZlZfSS6iI5gEVLNxDv6yLe5sf93TtVV13onU5N%2BLe5vT9M6OHwOAkmucHoHgemf%2BdxdXa4%3D",
"Date": "2023-06-28T12:48:53.000Z",
"RequestUUID": "97a93c1b-4806-4eb3-baa0-f185676ea0b1",
"Status Code": 0,
"Hash": "2240c7e15926eed5e1826f036359e81b50f9ded91d2589620cdbb81c1e853e91"
},
"os-version": "10.15.7"
}
The script which is building the whole app can be found here: https://github.com/cryptoadvance/specter-desktop/blob/master/utils/build-osx.sh
The relevant part which doing the signing is here: https://github.com/cryptoadvance/specter-desktop/blob/master/utils/build-common.sh#L115-L168
STEPS TO REPRODUCE Download the dmg from above link, install and start.
NAME AND APPLE ID OF APP specter-desktop
The answer from apple was not very precise.
unfold
Thank you for contacting Apple Developer Technical Support (DTS).Based on your request, we believe that your question is answered by the Apple Developer Forums discussion linked here:
Resolving Trusted Execution Problems https://developer.apple.com/forums/thread/706442
If after reviewing this information you have further questions or persistent issues, and do not wish to follow up on the Developer Forums, please reply to this email and we will re-open this support inquiry, re-debiting a Technical Support Incident (TSI) if appropriate to do so.
After some digging, i decided to migrate from altool to notarytool and the result is the errormessage at the top of this ticket.
Understanding Provisiong Profiles
Just for the reference, some information about provisioning profiles. here are different profiles explained. For our use-case, it seems that the AdHoc profile might be the way to go.
ChatGPT spits out those references:
Development Provisioning Profile:
Apple Developer Documentation: https://developer.apple.com/documentation/xcode/understanding-and-creating-provisioning-profiles Ad Hoc Provisioning Profile:
Apple Developer Documentation: https://developer.apple.com/documentation/xcode/distributing-your-app-for-beta-testing Distribution Provisioning Profile:
Apple Developer Documentation: https://developer.apple.com/documentation/appstoreconnectapi/profiles
Relevant information nuggets:
- https://www.youtube.com/watch?v=Ys2p5bFhgjI
