Skip to content
This repository has been archived by the owner on Jan 13, 2024. It is now read-only.

main executable failed strict validation when signing binary on macOS #128

Closed
jviotti opened this issue Jun 7, 2017 · 63 comments
Closed

Comments

@jviotti
Copy link

jviotti commented Jun 7, 2017

I'm getting an error when code-signing a binary produced by pkg on macOS:

main executable failed strict validation

I couldn't find much information about this on the web, but some causes can be (from https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG309):

  • Your Mach-O executable does not conform to modern Mach-O layout rules
  • You may be using a third party development product that hasn't been brought up to date, or post-processed your file in unsupported ways

Do you know thay may be causing this? codesign succeeds with other binaries.

Steps to reproduce:

git clone https://github.com/resin-io/etcher
cd etcher
make cli-develop
pkg --output etcher -t node6-macos-x64 lib/cli/etcher.js
codesign --sign "<identity>" -fv etcher
@igorklopov
Copy link
Contributor

Same as #66
@leanderlee pointed right about similarity to PyInstaller.
I confirm the bug. It will be solved soon.

@DxCx
Copy link

DxCx commented Jun 20, 2017

hey @igorklopov any news on this one? i'm having the same issue

@igorklopov
Copy link
Contributor

No timeline on this issue yet. Much to do on C++ land. Keep finger on the pulse of pkg-fetch

@DxCx
Copy link

DxCx commented Jun 20, 2017

@igorklopov I might be able to help in here, want to elaborate more on what has to be done?

jviotti added a commit to balena-io/etcher that referenced this issue Jun 26, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jun 26, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jun 26, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jun 30, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jun 30, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jun 30, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 3, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 4, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 4, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 6, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 6, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 7, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 7, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 7, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 10, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 10, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 11, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
jviotti added a commit to balena-io/etcher that referenced this issue Jul 11, 2017
This commit replaces our home-grown CLI packaging mechanism based on
browserify + node-static-entry-point with pkg, an open source tool to
package Node.js applications for distribution.

Some highlights:

- Removing browserify got rid of a lot of dependencies from
  npm-shrinkwrap.json

- pkg currently has an issue where macOS binaries can't be code-signed
  (vercel/pkg#128), therefore this commit
  comments-out the binary signing section for that operating system

- pkg currently has an issue where Windows binaries can't be branded
  (vercel/pkg#149), therefore this commit
  comments-out the branding section for that operating system

See: https://github.com/zeit/pkg
Fixes: #1531
Fixes: #1450
Change-Type: patch
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
@ryanwalls
Copy link

@igorklopov any updates?

@franklinwesley
Copy link

Any news on that?

@m00s
Copy link

m00s commented Jan 25, 2018

Any plan to solve this issues? Can I help somehow?
This issue is causing me a lot of problems

@dwasyluk
Copy link

dwasyluk commented Jun 30, 2020

It seems like the previous rename-and-sign solution #128 (comment) no longer works so I'm back looking for new solutions.

@bompi88
Copy link

bompi88 commented Jun 30, 2020

@dwasyluk I found this. I have not tested it yet, but it looks promising? https://github.com/dgiagio/warp

@bompi88
Copy link

bompi88 commented Jul 9, 2020

This is also some great readings denoland/deno#986 (comment)

@rmcvey
Copy link

rmcvey commented Jul 9, 2020

@bompi88 and anyone else that hasn't checked out warp yet, allow me to save you some time. I spent half a day trying to get a warp build signed last week. Long story short, it doesn't work, failing with the same error that pkg and others produce :(

I spent the rest of the day trying to get to the bottom of the issue and my working theory is that dynamically linked libraries in the public Node builds (which AFAICT all tools of this variety download and utilize) prevent the use of the hardened runtime, which ultimately prevents signing and notarization. Would appreciate clarification/verification.

@saurabh-deep
Copy link

saurabh-deep commented Jul 9, 2020

@rmcvey - node-packer by @pmq20 works fine for us. We have been using it for a while now. It signs the binaries which are fine even for notarization. So, no issues with the hardened runtime as well. Event the binary size is less than half of what pkg generates.

Only issue is that the project has gone dormant. Latest support there is for Node version 8.x. There was an active fork maintained by @slee047, which has support till Node version 10.x and had some issues with Node 12. Now that fork has also gone dormant as the maintainer has moved on from Node.js to greener pastures.

If only someone (with C/C++ & may be bit of Ruby knowledge) could maintain a fork of node-packer!

Here are the links -

Original node-packer => https://github.com/pmq20/node-packer
Most active fork so far => https://github.com/slee047/node-packer

Hope this helps!

cronicc added a commit to HorizenOfficial/staketool that referenced this issue Aug 5, 2020
* Linux, Windows, MacOS, Alpine binaries
* PGP signed archives, sha256sums, codesigned windows binaries
* MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
cronicc added a commit to HorizenOfficial/staketool that referenced this issue Aug 5, 2020
* Linux, Windows, MacOS, Alpine binaries
* PGP signed archives, sha256sums, codesigned windows binaries
* MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
cronicc added a commit to HorizenOfficial/staketool that referenced this issue Aug 5, 2020
* Linux, Windows, MacOS, Alpine binaries
* PGP signed archives, sha256sums, codesigned windows binaries
* MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
cronicc added a commit to HorizenOfficial/staketool that referenced this issue Aug 5, 2020
* Linux, Windows, MacOS, Alpine binaries
* PGP signed archives, sha256sums, codesigned windows binaries
* MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
cronicc added a commit to HorizenOfficial/staketool that referenced this issue Aug 7, 2020
* Linux, Windows, MacOS, Alpine binaries
* PGP signed archives, sha256sums, codesigned windows binaries
* MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
@nor0x
Copy link

nor0x commented Jan 11, 2021

any news on this issue, has anyone made some progress on correctly signing a binary? I need to sign a binary on macOS and node-packer seems to be abandoned

@saurabh-deep
Copy link

@nor0x - We are also in the same boat. Node 10 doesn't work for us anymore, so node-packer is not an option for us anymore. We need to use Node 12 or 14.

We haven't been able to use pure Node.js option suggested by @rmcvey, or the nexe option suggested by @btsimonh. It would be super awesome if someone (who has been able to get this to work) can share with the community by setting up a project or repo with instructions on how others with less knowledge on the subject (like me) can benefit from their hard work. node-packer, pkgand nexe all did the same by sharing their hard work (creating a single binary) with the wider community. I just wish it could happen!

Don't know if Node.js will ever go the Deno way and provide an out-of-the-box method to do this. They even removed support for _third_party_main.js. 😢

@nor0x
Copy link

nor0x commented Jan 11, 2021

@saurabh-deep thanks for your reply. Unfortunately i'm no js expert, i would be happy to help as much as i can but i guess the initiative should be started by someone with more expertise

@patrickhulce
Copy link

patrickhulce commented Jan 11, 2021

If your only goal here is create an executable that can be used as a child process by a dmg that will pass Apple's notarization, I came up with a workaround that should work for you but am afraid to share too publicly for fear it will be frowned upon by Apple (it doesn't involve truly hardening the executable generated by pkg which I've come to understand is impossible given its current approach). If you/your company is stuck in this situation, feel free to DM me for details.

@btsimonh
Copy link

haha.. yes.. some of my 'solution' would be blocked if Apple knew...

@saurabh-deep
Copy link

If your only goal here is create an executable that can be used as a child process by a dmg that will pass Apple's notarization, I came up with a workaround that should work for you but am afraid to share too publicly for fear it will be frowned upon by Apple (it doesn't involve truly hardening the executable generated by pkg which I've come to understand is impossible given its current approach). If you/your company is stuck in this situation, feel free to DM me for details.

Hey @patrickhulce! Thank you so much for offering the help. I sent you an email just now, with subject "MacOS binary signing / App notarization". Please respond whenever you get a chance. Much appreciated! ❤️

@WestonThayer
Copy link

WestonThayer commented Mar 9, 2021

In case other folks are here looking for a workaround and are just distributing a CLI, all the MacOS Gatekeeper checks are bypassed if you download via curl, which shouldn't be a huge UX issue since, you know, users are downloading a CLI.

curl https://example.com/cli/mac -o ExampleCli
./ExampleCli --version

Edit: you'd have to do chmod +x ./ExampleCli in the above example. Alternative is to download a zip where ExampleCli already had the right file perms:

curl https://example.com/cli/mac.zip -o mac.zip && unzip mac.zip && rm mac.zip
./ExampleCli --version

Or run an install script, where install.sh takes care of all the nitty gritty.

curl https://example.com/cli/mac/install.sh | bash

@jesec
Copy link
Contributor

jesec commented May 21, 2021

This issue has been resolved by 0b55f9a . Please let me know if it is still relevant.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests