wail icon indicating copy to clipboard operation
wail copied to clipboard
verified publisher icon machawk1

App requires GateKeeper to be set to allow unauthorized apps on OS X

Open machawk1 opened this issue 12 years ago • 6 comments

This is due to the app not originating from the MacOS X app store. Doing so might not be possible, as the Apple TOS prohibits apps within apps in the store. Wayback, Heritrix et al are exactly this.

machawk1 avatar Jul 29 '13 13:07 machawk1

👋 Hello from a decade later, where I have finally opted to procure an Apple id to get the app signed.

#595 has some instructions to get things up and running. See the issue-48 branch for the base fix. However, one issue is that MAKEFILE copies a few directories (e.g., bundledApps) after Pyinstaller builds the app with entitlements, which invalidates the codesigning.

The Pyinstaller option to add data flattens all data, so is not a good option to mitigate this. The issue remains until I can find a way to include all of the files manually copied over (per the MAKEFILE) after the build into the generated .app.

machawk1 avatar Mar 10 '25 20:03 machawk1

Run security find-identity -p basic -v to get the signing string then:

codesign --force --deep --sign "thestringhere" /Applications/WAIL.app

With the copy commands in-place, this reports:

/Applications/WAIL.app: replacing existing signature
/Applications/WAIL.app: unsealed contents present in the bundle root

...with the latter probably indicative of a mismatch between the indexing that occurs during codesigning (assumably) and the contents that are added after the original signing occurred. This comes down to a need to reorganize the contents of the .App.

machawk1 avatar Mar 10 '25 20:03 machawk1 

cd /Applications/WAIL.app
mv archives bundledApps support archiveIndexes build config ./Contents/
codesign --force --deep --sign "thestringhere" /Applications/WAIL.app

...results in a messages not including the one referring to the unsealed contents.

The follow-on:

codesign -vv --strict /Applications/WAIL.app
/Applications/WAIL.app: valid on disk
/Applications/WAIL.app: satisfies its Designated Requirement

...indicates that this might be a valid solution but will require updating the locations in the Py code itself and might be an impetus to get the generated data out of the "binary" directory. (#332)

machawk1 avatar Mar 10 '25 20:03 machawk1

Lots of resolutions in 6be05d2. Captures from the local Heritrix now show in the calendar view in Wayback but I do not appear accessible. This ticket is not about that but GateKeeper checks. Setting this issue as PENDING to test on a non-dev machine with a tagged version.

machawk1 avatar Mar 12 '25 21:03 machawk1

One problem: GitHub Actions won't have the creds to sign the app. It also needs to be "stapled", "notarized", etc. before the next release for a GitHub and homebrew-based distribution. Expect the artifact generation action to fail unless a flag to disable the codesigning is added.

  • [ ] Add a flag to the build script to disable the codesigning for GitHub Actions' builds.

machawk1 avatar Mar 12 '25 21:03 machawk1

Take a look again at the build script copying the Info.plist and things in bundledApps. I am wondering if this is corrupting the build, though the resigning should mitigate this and allow it to run.

machawk1 avatar Mar 13 '25 15:03 machawk1