-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Codesign node binary for macOS #11936
Comments
I assume this would be something we could do for at least windows as well? |
@gibfahn I thought Windows binaries already were being signed, hence the 'nosign' command-line option for vcbuild? |
Yeah okay, we are signing both the |
@gibfahn That's cool. I just saw this here in the Makefile – |
If I can do anything to push this forward please let me know. |
It looks like the package signing on macOS is done by the two scripts linked to from the Makefile as you pointed out. osx-codesign.sh signs the binary, and osx-productsign.sh signs the pkg file. Are you sure the binaries aren't signed? I ran ➜ codesign -dvvv ./node
./node: code object is not signed at all If I run the same thing on a node binary from the pkg or the tar.gz, I get: ➜ codesign -dvvv `which node`
Executable=/Users/gib/.nvm/versions/node/v6.10.0/bin/node
Identifier=node-55554944ea42999f6a9f32508a5ebb5ac25b716a
Format=Mach-O thin (x86_64)
CodeDirectory v=20100 size=240350 flags=0x2(adhoc) hashes=7506+2 location=system
Hash type=sha256 size=32
CandidateCDHash sha1=9834f282795fc5294e7cdadf1481e85765a1a0fd
CandidateCDHash sha256=529de940acb145410eb799453cf00243f79b1f49
Hash choices=sha1,sha256
CDHash=529de940acb145410eb799453cf00243f79b1f49
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12 I guess cc/ @rvagg as he seems to be the only person to have ever touched those files. |
Also cc/ @nodejs/platform-macos |
I didn't actually install the pkg (don't want to mess with the multiple versions of node I have installed already), I just did: curl -O https://nodejs.org/dist/v6.10.1/node-v6.10.1.pkg
pkgutil --expand node-v6.10.1.pkg nodepkg
cd nodepkg/local.pkg
tar -xf Payload
codesign -vvvv bin/node Output: ➜ bin codesign -vvvv ./node ~/nodepkg/local.pkg/bin
./node: valid on disk
./node: satisfies its Designated Requirement |
@gibfahn Thanks for the detailed response. Yeah, running |
According to the Code Signing Guide this test mimics what macOS Gatekeeper does → codesign --verify --deep --strict --verbose=2 `which node` Expected and actual result: ./node: valid on disk
./node: satisfies its Designated Requirement So maybe this is just a local issue with Little Flocker. |
I am reopening this issues because I have done some more tests and been monitoring this. I downloaded the
When downloading the
There seems to be a regression here or the Any clues? Can you test it this way as well @gibfahn? |
@raphaelokon it seems you're right, only some of the binaries are being signed. Using the highly unscientific method of just looking at whatever's in my Test script:cd ~/.nvm/versions/node
for i in *; do echo ">>> $i"; codesign -d $i/bin/node; done Output:
Detailed output:If you use
|
@nodejs/release , any ideas why this might happen? |
Great test @gibfahn – I also noticed that the binary from the |
Any news on this one? |
@nodejs/release it looks like releases aren't being signed properly, the pkg is signed but the tarball isn't. Pkg:curl -O https://nodejs.org/dist/v7.10.0/node-v7.10.0.pkg
pkgutil --expand node-v7.10.0.pkg nodepkg
cd nodepkg/local.pkg
tar -xf Payload
codesign -d bin/node Output:
Tarball:
Output:
|
@evanlucas I think you did Any ideas about why this would be happening? |
That is strange, codesigning is part of the build step in the Makefile, so it isn't something I'm manually doing. It is done by the release machines. |
So is there a regression in terms of a release machine sometimes signing and sometimes not signing the bin at all? |
Yeah, it seems like it. Unfortunately I don't think anyone has dug into this. Maybe cc/ @nodejs/build |
Same problem still occurs for v8.0.0 …
|
Same for v8.1.0 as well :( |
And again for v8.1.2 the same as above |
We are looking into setting up additional macos hosts; with that also "ansible:fying" the process. Hopefully that can make the setup part more transparent (and pull requestable). |
Issue still present in |
Thanks for continuing to let us know @raphaelokon. I finally got around to looking into this. This should be fixed by #14179. :] |
Cheers @evanlucas – and sorry for keeping bugging you guys :D |
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: nodejs#14179 Fixes: nodejs#11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: nodejs/node#14179 Fixes: nodejs/node#11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: nodejs/node#14179 Fixes: nodejs/node#11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: nodejs/node#14179 Fixes: nodejs/node#11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Hi there.
I recently had a quick chat with @MylesBorins via 🐦 who encouraged me to post the issue here.
Tools like Little Flocker reports
node
with an invalid Developer ID whenever I run it on my machine. So I checked the node binary withcodesign -vvvv $node_bin
to see if it is code signed – which returnscode object is not signed at all
.Is it possible to have the macOS Binaries signed by a Developer ID? I know that the
.pkg/.tar.gz
are signed, but would be great to have another layer of confidence.I found this two issues in relation: https://github.com/nodejs/node/issues?q=codesign
The text was updated successfully, but these errors were encountered: