-
Notifications
You must be signed in to change notification settings - Fork 1k
main executable failed strict validation when signing binary on macOS #128
Comments
Same as #66 |
hey @igorklopov any news on this one? i'm having the same issue |
No timeline on this issue yet. Much to do on C++ land. Keep finger on the pulse of pkg-fetch |
@igorklopov I might be able to help in here, want to elaborate more on what has to be done? |
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
This commit replaces our home-grown CLI packaging mechanism based on browserify + node-static-entry-point with pkg, an open source tool to package Node.js applications for distribution. Some highlights: - Removing browserify got rid of a lot of dependencies from npm-shrinkwrap.json - pkg currently has an issue where macOS binaries can't be code-signed (vercel/pkg#128), therefore this commit comments-out the binary signing section for that operating system - pkg currently has an issue where Windows binaries can't be branded (vercel/pkg#149), therefore this commit comments-out the branding section for that operating system See: https://github.com/zeit/pkg Fixes: #1531 Fixes: #1450 Change-Type: patch Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
@igorklopov any updates? |
Any news on that? |
Any plan to solve this issues? Can I help somehow? |
It seems like the previous rename-and-sign solution #128 (comment) no longer works so I'm back looking for new solutions. |
@dwasyluk I found this. I have not tested it yet, but it looks promising? https://github.com/dgiagio/warp |
This is also some great readings denoland/deno#986 (comment) |
@bompi88 and anyone else that hasn't checked out warp yet, allow me to save you some time. I spent half a day trying to get a warp build signed last week. Long story short, it doesn't work, failing with the same error that pkg and others produce :( I spent the rest of the day trying to get to the bottom of the issue and my working theory is that dynamically linked libraries in the public Node builds (which AFAICT all tools of this variety download and utilize) prevent the use of the hardened runtime, which ultimately prevents signing and notarization. Would appreciate clarification/verification. |
@rmcvey - node-packer by @pmq20 works fine for us. We have been using it for a while now. It signs the binaries which are fine even for notarization. So, no issues with the hardened runtime as well. Event the binary size is less than half of what pkg generates. Only issue is that the project has gone dormant. Latest support there is for Node version 8.x. There was an active fork maintained by @slee047, which has support till Node version 10.x and had some issues with Node 12. Now that fork has also gone dormant as the maintainer has moved on from Node.js to greener pastures. If only someone (with C/C++ & may be bit of Ruby knowledge) could maintain a fork of node-packer! Here are the links - Original node-packer => https://github.com/pmq20/node-packer Hope this helps! |
* Linux, Windows, MacOS, Alpine binaries * PGP signed archives, sha256sums, codesigned windows binaries * MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
* Linux, Windows, MacOS, Alpine binaries * PGP signed archives, sha256sums, codesigned windows binaries * MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
* Linux, Windows, MacOS, Alpine binaries * PGP signed archives, sha256sums, codesigned windows binaries * MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
* Linux, Windows, MacOS, Alpine binaries * PGP signed archives, sha256sums, codesigned windows binaries * MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
* Linux, Windows, MacOS, Alpine binaries * PGP signed archives, sha256sums, codesigned windows binaries * MacOS codesign support of pkg apps not possible at the moment, see vercel/pkg#128
any news on this issue, has anyone made some progress on correctly signing a binary? I need to sign a binary on macOS and |
@nor0x - We are also in the same boat. Node 10 doesn't work for us anymore, so We haven't been able to use pure Node.js option suggested by @rmcvey, or the Don't know if Node.js will ever go the Deno way and provide an out-of-the-box method to do this. They even removed support for _third_party_main.js. 😢 |
@saurabh-deep thanks for your reply. Unfortunately i'm no js expert, i would be happy to help as much as i can but i guess the initiative should be started by someone with more expertise |
If your only goal here is create an executable that can be used as a child process by a dmg that will pass Apple's notarization, I came up with a workaround that should work for you but am afraid to share too publicly for fear it will be frowned upon by Apple (it doesn't involve truly hardening the executable generated by |
haha.. yes.. some of my 'solution' would be blocked if Apple knew... |
Hey @patrickhulce! Thank you so much for offering the help. I sent you an email just now, with subject "MacOS binary signing / App notarization". Please respond whenever you get a chance. Much appreciated! ❤️ |
In case other folks are here looking for a workaround and are just distributing a CLI, all the MacOS Gatekeeper checks are bypassed if you download via curl https://example.com/cli/mac -o ExampleCli
./ExampleCli --version Edit: you'd have to do curl https://example.com/cli/mac.zip -o mac.zip && unzip mac.zip && rm mac.zip
./ExampleCli --version Or run an install script, where curl https://example.com/cli/mac/install.sh | bash |
This issue has been resolved by 0b55f9a . Please let me know if it is still relevant. |
I'm getting an error when code-signing a binary produced by
pkg
on macOS:I couldn't find much information about this on the web, but some causes can be (from https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG309):
Do you know thay may be causing this?
codesign
succeeds with other binaries.Steps to reproduce:
The text was updated successfully, but these errors were encountered: