Xamarin.Mac Notarization libMonoPosixHelper.dylib Not Signed

AllanChin.6924AllanChin.6924 USUniversity ✭✭✭
edited May 22 in Xamarin.Mac

Apparently, Mac apps are required to be notarized by Apple before deployment. Do I need to worry about this? libMonoPosixHelper.dylib is an Apple library.

{
  "severity": "error",
  "code": null,
  "path": "HPSmart-3.9.666.zip/test/HPSmart-3.9.666.pkg/HP_Smart_App.pkg Contents/Payload/HP Smart.app/Contents/MonoBundle/libMonoPosixHelper.dylib",
  "message": "The binary is not signed.",
  "docUrl": null,
  "architecture": "x86_64"
},
{
  "severity": "error",
  "code": null,
  "path": "HPSmart-3.9.666.zip/test/HPSmart-3.9.666.pkg/HP_Smart_App.pkg Contents/Payload/HP Smart.app/Contents/MonoBundle/libMonoPosixHelper.dylib",
  "message": "The signature does not include a secure timestamp.",
  "docUrl": null,
  "architecture": "x86_64"
},

Thanks

Tagged:

Answers

  • ChrisHamonsChrisHamons USForum Administrator, Xamarin Team Xamurai

    See https://devblogs.microsoft.com/xamarin/macos-hardened-runtime-notary/ for details

    The "d16-1" listed is in Alpha/Beta currently now, no need to download a specific build.

  • AllanChin.6924AllanChin.6924 USUniversity ✭✭✭
    edited May 30

    My Entitlements.plist looks like this.

    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    </dict>
    </plist>
    

    And this is my project's .csproj file.

      <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
        <DebugType>pdbonly</DebugType>
        <Optimize>true</Optimize>
        <OutputPath>bin\Release</OutputPath>
        <DefineConstants>__UNIFIED__;__MAC__;$(USEPRODUCTIONSERVER)</DefineConstants>
        <ErrorReport>prompt</ErrorReport>
        <WarningLevel>4</WarningLevel>
        <EnableCodeSigning>false</EnableCodeSigning>
        <CodeSigningKey>Developer ID Application</CodeSigningKey>
        <UseHardenedRuntime>true</UseHardenedRuntime>
        <CreatePackage>true</CreatePackage>
        <EnablePackageSigning>false</EnablePackageSigning>
        <IncludeMonoRuntime>true</IncludeMonoRuntime>
        <UseSGen>true</UseSGen>
        <UseRefCounting>true</UseRefCounting>
        <LinkMode>None</LinkMode>
        <HttpClientHandler>NSUrlSessionHandler</HttpClientHandler>
        <PackageSigningKey>Developer ID Installer</PackageSigningKey>
        <CodeSignProvision></CodeSignProvision>
        <AOTMode>None</AOTMode>
        <MonoBundlingExtraArgs>--registrar:dynamic</MonoBundlingExtraArgs>
      </PropertyGroup>
    

    But I still get this when I attempt to notarize.

        {
          "severity": "error",
          "code": null,
          "path": "HP_Smart36-3.6.270-HP_Smart.pkg/HP_Smart_App.pkg Contents/Payload/HP Smart.app/Contents/MacOS/HP Smart",
          "message": "The executable does not have the hardened runtime enabled.",
          "docUrl": null,
          "architecture": "x86_64"
        },
    

    Here;'s my development environment.

    === Visual Studio Community 2019 for Mac ===

    Version 8.0.8 (build 2)
    Installation UUID: 52841cf1-dbf0-469c-a714-a263f1d0573b
    GTK+ 2.24.23 (Raleigh theme)
    Xamarin.Mac 5.6.0.2 (d16-0 / 040682909)

    Package version: 518010003
    

    === Mono Framework MDK ===

    Runtime:
    Mono 5.18.1.3 (2018-08/fdb26b0a445) (64-bit)
    Package version: 518010003

    === NuGet ===

    Version: 4.8.2.5835

    === .NET Core ===

    Runtime: /usr/local/share/dotnet/dotnet
    Runtime Versions:
    2.1.9
    2.0.5
    2.0.0
    SDK: /usr/local/share/dotnet/sdk/2.1.505/Sdks
    SDK Versions:
    2.1.505
    2.1.4
    2.0.0
    MSBuild SDKs: /Library/Frameworks/Mono.framework/Versions/5.18.1/lib/mono/msbuild/15.0/bin/Sdks

    === Xamarin.Profiler ===

    '/Applications/Xamarin Profiler.app' not found

    === Updater ===

    Version: 11

    === Apple Developer Tools ===

    Xcode 10.2.1 (14490.122)
    Build 10E1001

    === Xamarin.Mac ===

    Version: 5.8.0.0 (Visual Studio Community)
    Hash: 0aa84521
    Branch: d16-0
    Build date: 2019-04-02 16:01:19-0400

    === Xamarin.iOS ===

    Version: 12.8.0.2 (Visual Studio Community)
    Hash: f2248ae6
    Branch: d16-0
    Build date: 2019-04-23 11:59:04-0400

    === Xamarin Designer ===

    Version: 4.17.4.418
    Hash: 3d086e814
    Branch: remotes/origin/d16-0
    Build date: 2019-04-01 09:20:10 UTC

    === Xamarin.Android ===

    Version: 9.2.3.0 (Visual Studio Community)
    Android SDK: /Users/allan/Library/Developer/Xamarin/android-sdk-macosx
    Supported Android versions:
    6.0 (API level 23)
    7.1 (API level 25)
    8.1 (API level 27)

    SDK Tools Version: 25.2.5
    SDK Platform Tools Version: 26.0.0
    SDK Build Tools Version: 25.0.3

    Build Information:
    Mono: mono/mono/[email protected]
    Java.Interop: xamarin/java.interop/[email protected]
    LibZipSharp: grendello/LibZipSharp/[email protected]
    LibZip: nih-at/libzip/[email protected]
    MXE: xamarin/mxe/[email protected]
    ProGuard: xamarin/proguard/[email protected]
    SQLite: xamarin/sqlite/[email protected]
    Xamarin.Android Tools: xamarin/xamarin-android-tools/[email protected]

    === Microsoft Mobile OpenJDK ===

    Java SDK: /Users/allan/Library/Developer/Xamarin/jdk/microsoft_dist_openjdk_8.0.25
    1.8.0-25
    Android Designer EPL code available here:
    https://github.com/xamarin/AndroidDesigner.EPL

    === Android Device Manager ===

    Version: 1.2.0.14
    Hash: 86df26f
    Branch: remotes/origin/d16-0
    Build date: 2019-05-16 16:08:28 UTC

    === Xamarin Inspector ===

    Version: 1.4.3
    Hash: db27525
    Branch: 1.4-release
    Build date: Mon, 09 Jul 2018 21:20:18 GMT
    Client compatibility: 1

    === Build Information ===

    Release ID: 800080002
    Git revision: b891fe614b73bbd65c22967fb111cbd830f7fcdd
    Build date: 2019-05-22 19:17:43+00
    Build branch: release-8.0
    Xamarin extensions: 62a26fe08bb2b9b5893bb0f46b1fc93994fd8c58

    === Operating System ===

    Mac OS X 10.14.5
    Darwin 18.6.0 Darwin Kernel Version 18.6.0
    Thu Apr 25 23:16:27 PDT 2019
    root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64

  • ChrisHamonsChrisHamons USForum Administrator, Xamarin Team Xamurai

    Please post your full build log, it is impossible to see what signing actually did without it.

  • AllanChin.6924AllanChin.6924 USUniversity ✭✭✭

    Here you go Chris. It's pretty big, even after I deleted all the SVN check-out logs.

  • ChrisHamonsChrisHamons USForum Administrator, Xamarin Team Xamurai
    edited June 5

    Ok, here's what I've found:

    We are pulling it in via mmp:

    xcrun -sdk macosx lipo '/HUDSON/san-hudson-1/workspace/MacGotham_STAB_Production/Mac/SmartApp/bin/Release/HP Smart.app/Contents/MonoBundle/libMonoPosixHelper.dylib' -thin x86_64 -output '/HUDSON/san-hudson-1/workspace/MacGotham_STAB_Production/Mac/SmartApp/bin/Release/HP Smart.app/Contents/MonoBundle/libMonoPosixHelper.dylib'
    
    

    However we're not codesigning in your build?

    Target "_CodesignAppBundle" skipped, due to false condition; ('$(EnableCodeSigning)') was evaluated as ('false').
    

    which makes sense, I didn't see this before:

    <EnableCodeSigning>false</EnableCodeSigning>
    

    You need to enable codesigning and package signing, notarization requires both to have a chance to pass.

    If enabling those fix it, we should file an issue because we can catch that misconfiguration and warn/error.

  • AllanChin.6924AllanChin.6924 USUniversity ✭✭✭

    Ok, I see that flag, but there's this in our build script.

    SignApp=$DO_RELEASE_CONFIG  # Actually, only sign the RELEASE build of App... (you can turn this OFF if you are local and do NOT have the keys on your machine)
    if [[ ( $DO_BUILD -eq 1 ) && ( $BuildError -eq  0 ) ]] ; then
        APP_FILE_NAME="${APP_NAME}.app"
        if [[ ( $SignApp -eq 1 ) ]] ; then
            DIST_APP_WITH_PATH="${TARGET_DIR}/${APP_FILE_NAME}"
            echo "### [${ThisScript}] -- Code-Sign the Application: ${APP_FILE_NAME}"
            codesign --sign "$APP_SIGN_ID" --deep --force --verbose=2 "${DIST_APP_WITH_PATH}"
            # looks like Jenkins machine has multiple app-signing keys, and gets an 'ambiguous' error, so ignore error until we get Jenkins guys to delete older key
            # BuildError=$?
        else
            echo "### [${ThisScript}] -- Application: ${APP_FILE_NAME} is *NOT* Code-signed"
        fi
    fi
    

    And this in the build log.

    Time Elapsed 00:11:51.57
    ### [BuildHPSmartMacApp.sh]    NOTE - build log output file is here: /HUDSON/san-hudson-1/workspace/MacGotham_STAB_Production/Mac/SmartApp/bin/Release/SmartApp_buildlog.txt
    ### [BuildHPSmartMacApp.sh] -- Code-Sign the Application: HP Smart.app
    Developer ID Application: HP Inc. (6HB5Y2QTA3): found in both /Users/cscrbuild/Library/Keychains/login.keychain-db and /Library/Keychains/System.keychain (this is all right)
    Developer ID Application: HP Inc. (6HB5Y2QTA3): found in both /Users/cscrbuild/Library/Keychains/login.keychain-db and /Users/cscrbuild/Library/Keychains/login.keychain-db (this is all right)
    Developer ID Application: HP Inc. (6HB5Y2QTA3): found in both /Users/cscrbuild/Library/Keychains/login.keychain-db and /Library/Keychains/System.keychain (this is all right)
    /HUDSON/san-hudson-1/workspace/MacGotham_STAB_Production/Mac/SmartApp/bin/Release/HP Smart.app: signed app bundle with Mach-O thin (x86_64) [com.hp.SmartMac]
    /HUDSON/san-hudson-1/workspace/MacGotham_STAB_Production/Mac/SmartApp/bin/Release/HP Smart.app: timestamps differ by 1762 seconds - check your system clock
    

    Thanks Allan

  • ChrisHamonsChrisHamons USForum Administrator, Xamarin Team Xamurai
    edited June 5

    If you are doing code signing outside of mmp you'll need to update it to the right thing yourself:

    I suggest watching this video

    https://developer.apple.com/videos/play/wwdc2019/703

    You'll need to do inside out signing of all binaries, making sure to use a secure timestamp and sign all binaries and not invalidate signatures.

    Or you could fix your build and let mmp handle it.

Sign In or Register to comment.