fsevents.node is not signed #1403
Comments
|
I don't know if this is a regression of what wwd builds, or macOS's notarization constantly moving targets to get a fully notarized build. |
|
The full list of affected EPPs are: JEE, PHP, Committers on both aarch64 and x86_64 platforms. |
|
@jonahgraham Honestly, I don't know how can I help with this issue... The whole jars are signed when the release is published, not the individual modules. The content of If on MacOS some "notarization" process takes place after the installation... I don't understand how could I help here? |
|
The issue is the native code library. M2e has a similar issue a while ago and solved it like this eclipse-m2e/m2e-core#593 |
|
@jonahgraham It is unclear to me - is this issue with MacOS only? The m2e fix is jnilib signing only so it looks like MacOS only. This is extremely fragile way to achieve things and IMHO signing plugin should be fixed proper. |
|
IMHO https://github.com/eclipse-cbi/org.eclipse.cbi/tree/main/maven-plugins/eclipse-jarsigner-plugin (and friends) should be fixed and then WWD gets autofixed by rebuilding. |
|
This is macos only (sort of). It's not the jar that isn't signed, but files inside the jar that aren't signed using the proprietary OS signing method. This is equivalent to how SWT signs the DLLs and jnilibs too before they end up in the jar. The reason I said sort of is because Windows doesn't (yet) complain if the DLLs aren't signed. So the windows signing should be done at some point. The reason macos is blocker is because the notarization process that windows doesn't have equivalent of. |
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build.
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build.
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build.
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build.
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build.
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build.
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build.
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build.
|
@jonahgraham Can you try building an EPP using the following PR's updated site: https://ci.eclipse.org/wildwebdeveloper/job/Wildwebdeveloper/job/PR-1404/6/artifact/repository/target/repository/ (or any later one if exists by the time)? When installing from this update site, o.e.wwd plugin's jar appears to be correctly signed. There is still some unsigned contents, but this is |
This PR has the goal to resolve issue eclipse-wildwebdeveloper#1403 by implementing the steps that are performed in Orbit to sign Mac '*.node' NPM modules for the WWD build. Fixes: eclipse-wildwebdeveloper#1403
Sure - I am looking at that now and will report back. |
|
I made a special build of EPP for just the php package: https://ci.eclipse.org/packaging/job/epp-jonahgraham-fork/job/wildwebdeveloper-1403/ and it built successfully to https://download.eclipse.org/technology/epp/staging-wildwebdeveloper-1403/ and that repo notarized successfully: https://ci.eclipse.org/packaging/job/notarize-downloads/176/ The fsevents.node appears in the notarization output {
{
"path": "eclipse-php-2023-12-M3-macosx-cocoa-aarch64-6698754642466113339.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.wildwebdeveloper_1.1.3.202311201349/node_modules/fsevents/fsevents.node",
"digestAlgorithm": "SHA-256",
"cdhash": "f55ae280562153dedac36b4359e92270f42314b7",
"arch": "x86_64"
},
{
"path": "eclipse-php-2023-12-M3-macosx-cocoa-aarch64-6698754642466113339.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.wildwebdeveloper_1.1.3.202311201349/node_modules/fsevents/fsevents.node",
"digestAlgorithm": "SHA-256",
"cdhash": "68ac397d12b287ea7e8e2499b08c6e34cfa8ff58",
"arch": "arm64"
},
}Therefore @vrubezhny this looks good to go. Once it is merged and contributed to SimRel I will run a new notarization to make sure we haven't missed anything. |
|
@jonahgraham thanks! Then I'm going proceed with releasing it |
@jonahgraham The WWD 1.3.2 containing the PR #1404 is released and contributed to SimRel. |
|
@vrubezhny It seems something has gone wrong in the release process - the 1.3.2 version of WWD doesn't have this fix - the date stamp of the version is from before this change: https://download.eclipse.org/wildwebdeveloper/releases/1.3.2/plugins/: org.eclipse.wildwebdeveloper_1.1.3.202311162216.jar It looks like something in the build that should be an error is only a warning so compare and replace ignored the change (from log): FWIW that is not the only bundle to have such an issue: I think the fix is to bump versions, but to prevent this happening in the future consider changing Line 153 in b6b43e3 Of course there could be reasons to only warn and not fail the build, I am not familiar with WWD dev enough to really know. |
|
@jonahgraham I see. The fix doesn't apply any changes to |
|
@jonahgraham The WWD 1.3.3 is released and added to SimRel eclipse-simrel/simrel.build#100. org.eclipse.wildwebdeveloper plugin version is bumped to 1.1.4.202311211923 |
|
Thanks @vrubezhny for the quick turnaround! I will try notarizing the next EPP build that completes to confirm. The EPP build won't complete until the SimRel build is quiet for a few hours. PS In case you are wondering... I have to manually run the notarization builds because Apple rate limit us so I can't notarize every single build as too many would fail. |
|
All the EPP packages notarized fine. Thanks again for the effort! |
|
This most likely causes #1505 |
Wild Web Developer contains some unsigned code which prevents products from being notarized. This file is not signed:
org.eclipse.wildwebdeveloper_1.1.2.202311151451/node_modules/fsevents/fsevents.nodeThe full error I see is as follows, with similar errors for other EPPs.
{ "logFormatVersion": 1, "jobId": "8d36c15c-b650-4242-b817-3bb211054150", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "eclipse-php-2023-12-M3-macosx-cocoa-x86_64-11621221555228008492.dmg", "uploadDate": "2023-11-16T18:28:47.503Z", "sha256": "13d8a69e550050f48a92a8537e986c996218c5066519d6f7485cfd77bf29c34e", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "eclipse-php-2023-12-M3-macosx-cocoa-x86_64-11621221555228008492.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.wildwebdeveloper_1.1.2.202311151451/node_modules/fsevents/fsevents.node", "message": "The binary is not signed.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "eclipse-php-2023-12-M3-macosx-cocoa-x86_64-11621221555228008492.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.wildwebdeveloper_1.1.2.202311151451/node_modules/fsevents/fsevents.node", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "eclipse-php-2023-12-M3-macosx-cocoa-x86_64-11621221555228008492.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.wildwebdeveloper_1.1.2.202311151451/node_modules/fsevents/fsevents.node", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, { "severity": "error", "code": null, "path": "eclipse-php-2023-12-M3-macosx-cocoa-x86_64-11621221555228008492.dmg/Eclipse.app/Contents/Eclipse/plugins/org.eclipse.wildwebdeveloper_1.1.2.202311151451/node_modules/fsevents/fsevents.node", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "arm64" } ] }The text was updated successfully, but these errors were encountered: