Apple is moving to Version 2 of their gatekeeper signing for OSX 10.10 and 10.9.5+
I'm trying to sign my app with the codesign command line tool. When doing so, the app cannot be opened as Gatekeeper says the app bundle is damaged. Also using "spctl -a -t exec -vv MyApp.app" I get the output "No such file or directory" even though I can clearly see the app bundle in the directory. The "Chromium Embedded Framework.framework" directory as well as the app bundle has been signed (in fact, running "spctl -a -t exec -vv MyApp.app/Contents/Frameworks/Chromium\ Embedded\ Framework.framework/", yields the correct "accepted" output)
If I remove the "Chromium Embedded Framework.framework" from the app bundle; Gatekeeper accepts the signed app bundle as valid.
The "Chromium Embedded Framework.framework" I am using only has the Resources folder as I only need some images/locale .lproj directories for my app to run. I did add an Info.plist to the "Chromium Embedded Framework.framework" although i left the "Executable file" in the plist blank, as the framework does not have an executable file.
I am using 1650, and do to other circumstances, cannot upgrade it.
Any help is appreciated.
Chromium Embedded Framework Forum
Forum for support and discussion of the Chromium Embedded Framework (CEF)
Visit the CEF Project Site to download CEF and report issues.
Mac GateKeeper signing with CEF.framework
9 posts
• Page 1 of 1
Mac GateKeeper signing with CEF.framework
by litereddonut » Tue Sep 09, 2014 5:42 pm
- litereddonut
- Techie
- Posts: 19
- Joined: Mon Jun 03, 2013 3:06 pm
Re: Mac GateKeeper signing with CEF.framework
by magreenblatt » Wed Sep 10, 2014 10:59 am
You'll likely need to use 1750+ where CEF switched to using a proper unversioned framework structure.
- magreenblatt
- Site Admin
- Posts: 12408
- Joined: Fri May 29, 2009 6:57 pm
Re: Mac GateKeeper signing with CEF.framework
by litereddonut » Wed Sep 10, 2014 3:28 pm
Is there anyway to mitigate the problem in the meantime? I'm working on upgrading to 1750, but it's taking awhile.
- litereddonut
- Techie
- Posts: 19
- Joined: Mon Jun 03, 2013 3:06 pm
Re: Mac GateKeeper signing with CEF.framework
by magreenblatt » Wed Sep 10, 2014 4:43 pm
litereddonut wrote:Is there anyway to mitigate the problem in the meantime? I'm working on upgrading to 1750, but it's taking awhile.
Not really. It's part of the reason why everyone else switched to 1750
.- magreenblatt
- Site Admin
- Posts: 12408
- Joined: Fri May 29, 2009 6:57 pm
Re: Mac GateKeeper signing with CEF.framework
by fernandomorgan » Thu Sep 11, 2014 2:45 pm
Actually, both 1916 and 2062 binaries (at least) can't be properly code signed with XCode6 or XCode6.1, as both of them won't support unversioned frameworks.
I have a radar open with Apple to understand if this is a bug or a feature, but so far, I had no response (and XCode6 is in production right now).
When building CEF (I just use the automation script), it does produce, as an intermediate step, a versioned framework, and I was able to use it (with some link hacks for video, etc) successfully, with X6+ code signing.
I have a radar open with Apple to understand if this is a bug or a feature, but so far, I had no response (and XCode6 is in production right now).
When building CEF (I just use the automation script), it does produce, as an intermediate step, a versioned framework, and I was able to use it (with some link hacks for video, etc) successfully, with X6+ code signing.
- fernandomorgan
- Techie
- Posts: 28
- Joined: Tue Jan 14, 2014 5:51 pm
Re: Mac GateKeeper signing with CEF.framework
by magreenblatt » Thu Sep 11, 2014 2:52 pm
fernandomorgan wrote:Actually, both 1916 and 2062 binaries (at least) can't be properly code signed with XCode6 or XCode6.1, as both of them won't support unversioned frameworks.
I have a radar open with Apple to understand if this is a bug or a feature, but so far, I had no response (and XCode6 is in production right now).
When building CEF (I just use the automation script), it does produce, as an intermediate step, a versioned framework, and I was able to use it (with some link hacks for video, etc) successfully, with X6+ code signing.
You mentioned in viewtopic.php?f=12&t=11980 that the code signing works when using command-line tools. Does that include the Xcode 6 command-line tools?
- magreenblatt
- Site Admin
- Posts: 12408
- Joined: Fri May 29, 2009 6:57 pm
Re: Mac GateKeeper signing with CEF.framework
by fernandomorgan » Thu Sep 11, 2014 5:42 pm
sorry, I made a mistake before - right now I have 3 Xcodes installed - and it only works with command line from xcode5
this is with xcode6 GM codesign
CodeSign /Users/<removed>/XXX.app/Contents/Frameworks/Chromium\ Embedded\ Framework.framework/Versions/A
cd /Users/pereira/Work/Brewery/src/Shell
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
Signing Identity: XXXX
/usr/bin/codesign --force --sign 55779D3729B7F66678C96E04ADB6605AF095F688 --preserve-metadata=identifier,entitlements,resource-rules --requirements =designated\ =>\ anchor\ apple\ generic\ \ and\ identifier\ \"$self.identifier\"\ and\ ((cert\ leaf[field.1.2.840.113635.100.6.1.9]\ exists)\ or\ (\ certificate\ 1[field.1.2.840.113635.100.6.2.6]\ exists\ and\ certificate\ leaf[field.1.2.840.113635.100.6.1.13]\ exists\ \ and\ certificate\ leaf[subject.OU]\ =\ \"2ARNJY38FW\"\ )) /Users/p<removed>/XXX.app/Contents/Frameworks/Chromium\ Embedded\ Framework./Users/<removed>/XXX.app/Contents/Frameworks/Chromium Embedded Framework.framework/Versions/A: No such file or directory
Command /usr/bin/codesign failed with exit code 1
this is with xcode6 GM codesign
CodeSign /Users/<removed>/XXX.app/Contents/Frameworks/Chromium\ Embedded\ Framework.framework/Versions/A
cd /Users/pereira/Work/Brewery/src/Shell
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
Signing Identity: XXXX
/usr/bin/codesign --force --sign 55779D3729B7F66678C96E04ADB6605AF095F688 --preserve-metadata=identifier,entitlements,resource-rules --requirements =designated\ =>\ anchor\ apple\ generic\ \ and\ identifier\ \"$self.identifier\"\ and\ ((cert\ leaf[field.1.2.840.113635.100.6.1.9]\ exists)\ or\ (\ certificate\ 1[field.1.2.840.113635.100.6.2.6]\ exists\ and\ certificate\ leaf[field.1.2.840.113635.100.6.1.13]\ exists\ \ and\ certificate\ leaf[subject.OU]\ =\ \"2ARNJY38FW\"\ )) /Users/p<removed>/XXX.app/Contents/Frameworks/Chromium\ Embedded\ Framework./Users/<removed>/XXX.app/Contents/Frameworks/Chromium Embedded Framework.framework/Versions/A: No such file or directory
Command /usr/bin/codesign failed with exit code 1
- fernandomorgan
- Techie
- Posts: 28
- Joined: Tue Jan 14, 2014 5:51 pm
Re: Mac GateKeeper signing with CEF.framework
by fernandomorgan » Mon Sep 15, 2014 5:25 pm
if anyone wants to also report this to Apple and increase the relevance, I have an open radar asking Apple if they not supporting non-versioned frameworks is a bug or a feature (Radar# 17814234)
- fernandomorgan
- Techie
- Posts: 28
- Joined: Tue Jan 14, 2014 5:51 pm
Re: Mac GateKeeper signing with CEF.framework
by fernandomorgan » Thu Sep 18, 2014 10:21 pm
Also it seems that binaries (like Libraries/ffmpegsumo.so) won't be able to be in the framework root level
codesign -vvvv fails with
"unsealed contents present in the root directory of an embedded framework" on CEF. Will need to be moved under Framework/Versions/A for example
codesign -vvvv fails with
"unsealed contents present in the root directory of an embedded framework" on CEF. Will need to be moved under Framework/Versions/A for example
- fernandomorgan
- Techie
- Posts: 28
- Joined: Tue Jan 14, 2014 5:51 pm
9 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 40 guests