build-emacs-for-macos icon indicating copy to clipboard operation
build-emacs-for-macos copied to clipboard

Published 20 hours ago verified publisher icon jimeh

Instructions for producing a signed app

Open isoboroff opened this issue 2 years ago • 6 comments

The README says that code sign instructions are coming soon. Even a pointer to what you have to set up and pass to the go run ./cmd/emacs-builder package would be great!

I'm building on an M1 machine, otherwise I would slack off and use the Homebrew cask.

isoboroff avatar Jan 13 '22 13:01 isoboroff

Apologies, I haven't gotten around to properly documenting it. It's a bit involved, but below are some very brief instructions that hopefully will help.

First, you'll need a paid for Apple Developer account, with a application signing key available on your machine, and then set a few environment variables to relevant values, and run the emacsbuilder package command with the --sign flag.

You can view the help info for the package command by running go run ./cmd/emacs-builder package --help. The environment variables needed are AC_USERNAME, AC_PASSWORD, AC_PROVIDER, and AC_SIGN_IDENTITY. The help output has a brief description of each.

Then you should be able to sign, package and notarize a folder containing a Emacs.app bundle to a *.dmg by running:

go run ./cmd/emacs-builder package --sign /path/to/folder

If it helps, the relevant part in my GitHub Actions setup for nightly builds is here. The only thing the package command pulls out of the passed in build-plan.yml file is the source directory to package.

jimeh avatar Jan 13 '22 13:01 jimeh

Thanks. The symptom is that the app won't launch, and I get a crash report SIGKILL (Code Signature Invalid), so I can't even allow the app in the security and privacy settings.

isoboroff avatar Jan 13 '22 14:01 isoboroff

Right, yeah. It seems M1 machines refuse to run unsigned code altogether. On Intel-based Macs it seems to be aware of what binaries were built locally, so they're automatically trusted.

I don't have a M1 machine myself yet though, so my knowledge is mostly second hand right now.

jimeh avatar Jan 13 '22 17:01 jimeh

Indeed running Contents/MacOS/bin/emacs from the command line also gets killed. However, a hand-coded hello-world.c compiled with /usr/bin/gcc works ok.

This article has a nice explanation: https://eclecticlight.co/2021/01/26/when-you-dont-have-permission-to-run-an-app-on-an-m1-mac/. And links to another of the author's articles with a solution, https://eclecticlight.co/2019/01/17/code-signing-for-the-concerned-3-signing-an-app/. If you do this:

    codesign --force --deep -s - Emacs.app

it will launch.

isoboroff avatar Jan 13 '22 18:01 isoboroff

@isoboroff @jimeh I just met the same issue yesterday, and I use the same command to fix the issue. Instead of manually codesigning the .app, is it possible that the script signs it for us?

ccqpein avatar Jan 28 '23 00:01 ccqpein

I had not realized ad-hoc signing without any paid developer certificates was possible. I'll have a look at automatically doing that on non-Intel Macs when I finally get an Apple Silicon machine later this month.

jimeh avatar Nov 05 '23 09:11 jimeh