apple-platform-rs icon indicating copy to clipboard operation
apple-platform-rs copied to clipboard

Published 20 hours ago verified publisher icon indygreg

Add `Library/QuickLook` to the list of code resource bundles

Open dimula73 opened this issue 1 year ago • 3 comments

If an application has a quicklook plugin in Library/QuickLook location, then rcodesign signs the plugin twice, first as a bundle, and then as a standalone binary again. It makes the signature invalid (missing resources) and fails the following notarization process.

I used the example of Library/Spotlight plugin to make an exception for QuickLook.

dimula73 avatar Oct 08 '24 19:10 dimula73

I'm not really sure that is a correct fix, because this rule is missing from a package signed by normal codesign (from its CodeResources file). But at least it prevents rcodesign signing the package twice.

Here is an example package that fails to be signed by rcodesign because of this issue: https://files.kde.org/krita/.release/5.2.6/unsigned/krita-5.2.6.dmg

dimula73 avatar Oct 08 '24 19:10 dimula73

Interesting. Thanks for submitting this change.

So you are saying that codesign doesn't include this directory in its rules? If true, then that seemingly points to a bug in our nested bundle handling. We want the XML rules to match codesign exactly.

Nested bundle signing has historical been a bit fragile in this project. See the release notes for various examples and links. I'm willing to bet this is yet another bug around how nested bundles are identified and signed.

I'd like to understand this issue more before acting on this PR.

indygreg avatar Nov 02 '24 21:11 indygreg

So you are saying that codesign doesn't include this directory in its rules?

It is a bit more complicated than it sounds. codesign does not include this directory in the rule, but we don't use nested code signing with codesign. We are currently transitioning from manual non-nested codesign with a script to a CI-sabes system that uses rcodesign, so we had to switch to nested signing...

I'm willing to bet this is yet another bug around how nested bundles are identified and signed.

It is possible that codesign has an exception for "Quicklook" to detect it as a bundle, but doesn't write that into XML?

(I'm not experienced in the MacOS-based development, so I don't fully understand all these issues with nested signing)

dimula73 avatar Nov 04 '24 10:11 dimula73