Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] MacOS - Codesigning and notarization issue when using ExternalBin #11992

Open
GillesPlatteeuw opened this issue Dec 17, 2024 · 1 comment
Labels
status: needs triage This issue needs to triage, applied to new issues type: bug

Comments

@GillesPlatteeuw
Copy link

Describe the bug

We are in the process of distributing 2 different Tauri applications for multiple architecture, one is still on V1 while the other is V2. When building a release version for MacOS we're getting notarization errors the moment we add 1 or more sidecar's via the externalBin property.

Both the applications successfully build and notarized when the externalBin property is removed from the configuration.

I've tested this also with a clean project and a clean binary (prints hello world) where I also followed the steps defined in
https://v2.tauri.app/develop/sidecar/ and https://v2.tauri.app/plugin/shell/

Reproduction

I've created a basic setup here https://github.com/GillesPlatteeuw/tauri-sidecar-test/tree/main

To reproduce the error i've created a tauri application with

yarn create tauri-app

The frontend framework does not really matter in this case

I've created the test binary via rust cargo new test_binary and created a release executable via cargo build --release. I've copied over the binary to the binaries folder and renamed it with the correct target triple appended.

I then followed the documentation to add a sidecar binary. https://v2.tauri.app/develop/sidecar/ and https://v2.tauri.app/plugin/shell/

Then make sure you've updated the tauri.conf.json with the MacOS specific configuration for signing and notarization, i've redacted our signing identity with *** in the example below ( tauri.conf.json > bundle > macOS)

    "macOS": {
      "signingIdentity": "***",
      "hardenedRuntime": true,
      "minimumSystemVersion": "10.13"
    }

Finally you can run yarn tauri build -- --verbose to build, codesign, notarize and bundle.

Expected behavior

Have a valid codesigned and notarized bundled application (DMG)

Full tauri info output

$ tauri info

[✔] Environment
    - OS: Mac OS 15.0.1 arm64 (X64)
    ✔ Xcode Command Line Tools: installed
    ✔ rustc: 1.82.0 (f6e511eec 2024-10-15)
    ✔ cargo: 1.82.0 (8f40fc59f 2024-08-21)
    ✔ rustup: 1.27.1 (54dd3d00f 2024-04-24)
    ✔ Rust toolchain: stable-aarch64-apple-darwin (default)
    - node: 23.3.0
    - yarn: 1.22.22
    - npm: 10.9.0

[-] Packages
    - tauri 🦀: 2.1.1
    - tauri-build 🦀: 2.0.3
    - wry 🦀: 0.47.2
    - tao 🦀: 0.30.8
    - tauri-cli 🦀: 1.5.11
    - @tauri-apps/api : 2.1.1
    - @tauri-apps/cli : 2.1.0

[-] Plugins
    - tauri-plugin-shell 🦀: 2.2.0
    - @tauri-apps/plugin-shell : 2.2.0

[-] App
    - build-type: bundle
    - CSP: unset
    - frontendDist: ../dist
    - devUrl: http://localhost:1420/
    - framework: SolidJS
    - bundler: Vite


### Stack trace

```text
The error we're getting on all of our projects is the following (I've stripped our developer identity with *)

$ tauri build --verbose
    Debug [ignore::gitignore] opened gitignore file: /var/folders/nj/wss671w55fqg4q7_81y1rj0m0000gn/T/.gitignore
    Debug [globset] built glob set; 0 literals, 2 basenames, 0 extensions, 0 prefixes, 0 suffixes, 0 required extensions, 0 regexes
    Debug [ignore::gitignore] opened gitignore file: /Users/gilles/_git/binary-app/.gitignore
    Debug [globset] built glob set; 0 literals, 2 basenames, 0 extensions, 0 prefixes, 0 suffixes, 0 required extensions, 0 regexes
    Debug [ignore::walk] ignoring /Users/gilles/_git/binary-app/.DS_Store: Ignore(IgnoreMatch(Hidden))
    Debug [ignore::walk] ignoring /Users/gilles/_git/binary-app/node_modules: Ignore(IgnoreMatch(Gitignore(Glob { from: Some("/Users/gilles/_git/binary-app/.gitignore"), original: "node_modules", actual: "**/node_modules", is_whitelist: false, is_only_dir: false })))
    Debug [ignore::walk] ignoring /Users/gilles/_git/binary-app/.gitignore: Ignore(IgnoreMatch(Hidden))
    Debug [ignore::gitignore] opened gitignore file: /Users/gilles/_git/binary-app/src-tauri/.gitignore
    Debug [globset] built glob set; 2 literals, 0 basenames, 0 extensions, 0 prefixes, 0 suffixes, 0 required extensions, 0 regexes
    Running [tauri_cli::helpers] beforeBuildCommand `yarn build`
    Debug [tauri_cli::helpers] Setting environment for hook {"TAURI_ENV_PLATFORM_VERSION": "15.0.1", "TAURI_ENV_FAMILY": "unix", "TAURI_ENV_PLATFORM": "darwin", "TAURI_ENV_ARCH": "aarch64", "TAURI_ENV_TARGET_TRIPLE": "aarch64-apple-darwin"}
    Running [tauri_cli] Command `sh  -c yarn build`
$ vite build
vite v6.0.3 building for production...
✓ 10 modules transformed.
dist/index.html                 0.60 kB │ gzip: 0.36 kB
dist/assets/logo-BKhbptE1.svg   1.60 kB │ gzip: 0.55 kB
dist/assets/index-BuP8cbzy.css  1.37 kB │ gzip: 0.65 kB
dist/assets/index-jMxP8T_C.js   8.39 kB │ gzip: 3.53 kB
✓ built in 110ms
    Running [tauri_cli] Command `cargo  build --bins --features tauri/custom-protocol,tauri/native-tls --release`

...
.... (Rust compilation output)
...

    Finished `release` profile [optimized] target(s) in 33.36s
    Built [tauri_cli::build] application at: /Users/gilles/_git/binary-app/src-tauri/target/release/binary-app
    Bundling [tauri_bundler::bundle::macos::app] binary-app.app (/Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app)
    Running [tauri_bundler::bundle::common] Command `xattr  -crs /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app`
    Signing [tauri_bundler::bundle::macos::sign] with identity "*****************************"
Signing with identity "*****************************"
Signing /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/test_binary
    Running [tauri_macos_sign] Command `codesign  --force -s ***************************** --options runtime /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/test_binary`
/Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/test_binary: replacing existing signature
Signing with identity "*****************************"
Signing /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/binary-app
    Running [tauri_macos_sign] Command `codesign  --force -s ***************************** --options runtime /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/binary-app`
/Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/binary-app: replacing existing signature
Signing with identity "*****************************"
Signing /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app
    Running [tauri_macos_sign] Command `codesign  --force -s ***************************** --options runtime /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app`
/Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app: replacing existing signature
    Running [tauri_macos_sign] Command `ditto  -c -k --keepParent --sequesterRsrc /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app /var/folders/nj/wss671w55fqg4q7_81y1rj0m0000gn/T/.tmpPPynUE/binary-app.zip`
Signing with identity "*****************************"
Signing /var/folders/nj/wss671w55fqg4q7_81y1rj0m0000gn/T/.tmpPPynUE/binary-app.zip
    Running [tauri_macos_sign] Command `codesign  --force -s ***************************** /var/folders/nj/wss671w55fqg4q7_81y1rj0m0000gn/T/.tmpPPynUE/binary-app.zip`
Notarizing /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app
failed to bundle project: Finished with status Invalid for id f96d2728-295a-4fce-b17c-95bd52de9d00 (Processing complete)
Log:
{
  "logFormatVersion": 1,
  "jobId": "f96d2728-295a-4fce-b17c-95bd52de9d00",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "binary-app.zip",
  "uploadDate": "2024-12-17T13:02:50.901Z",
  "sha256": "b0c2ce73a9a49ad35bdf7d2cf3e315727b43eda9128006bee39ccad481b2ecf6",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "binary-app.zip/binary-app.app/Contents/MacOS/binary-app",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "arm64"
    }
  ]
}

    Error [tauri_cli_node] failed to bundle project: Finished with status Invalid for id f96d2728-295a-4fce-b17c-95bd52de9d00 (Processing complete)
Log:
{
  "logFormatVersion": 1,
  "jobId": "f96d2728-295a-4fce-b17c-95bd52de9d00",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "binary-app.zip",
  "uploadDate": "2024-12-17T13:02:50.901Z",
  "sha256": "b0c2ce73a9a49ad35bdf7d2cf3e315727b43eda9128006bee39ccad481b2ecf6",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "binary-app.zip/binary-app.app/Contents/MacOS/binary-app",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "arm64"
    }
  ]
}


### Additional context

Windows code signing works without any trouble.
@GillesPlatteeuw GillesPlatteeuw added status: needs triage This issue needs to triage, applied to new issues type: bug labels Dec 17, 2024
@GillesPlatteeuw
Copy link
Author

Digging deeper into the issue. I verified the signature for each binary separately. The custom (hello world) binary is showing valid but the tauri created binary gives the following output

src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/binary-app: nested code is modified or invalid
file modified: /Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/test_binary

indicating that the Nested binary is invalid or modified in some way

Executable=/Users/gilles/_git/binary-app/src-tauri/target/release/bundle/macos/binary-app.app/Contents/MacOS/binary-app
Identifier=com.binary-app.app
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20500 size=87795 flags=0x10000(runtime) hashes=2737+3 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=983552
Hash type=sha256 size=32
CandidateCDHash sha256=e7ce8c154244084fcf1856b471de764fbeaa0929
CandidateCDHashFull sha256=e7ce8c154244084fcf1856b471de764fbeaa0929a3e1bf1f153411a4534696a9
Hash choices=sha256
CMSDigest=e7ce8c154244084fcf1856b471de764fbeaa0929a3e1bf1f153411a4534696a9
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=7880704
Executable Segment flags=0x1
Page size=4096
    -3=274b12c645b0c4079531952092365c49608901ffdb808ef8d2079b54e9e5e01a
    -2=eb75a570d13e455eae9cd234f3b33d568735be28af7c0904f5296dbee092650f
    -1=173ed60f95aecc0289ad217a4e73e8b6afcaa71e6c8c8f9e59a803d031f86d29
     0=0f5924f06b355ee2d23b49772c22a6967ece8380f1d15f6bc9940df14fa5a8f7
     1=ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
     2=fa2e4c2e36a5308506a2c5f4aeaf7c49e1efe12981be1a63906843d580a067eb
     3=3a074102140ef6f13efa2baf844fb7240d17da198bf06316fa116e1b74998335
     4=05e5a1650f134c26d16b1a97a3551e671ed5bfec7160614efd5dce8ec9b9e782
..........
  2736=002b7688604353951bb95090de38a0d08c700741ce1b5aa4c2faededda355a4a
CDHash=e7ce8c154244084fcf1856b471de764fbeaa0929
Signature size=8980
Authority=Developer ID Application: Trust1Team bvba (59YJFRZ48G)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=23 Dec 2024 at 13:59:09
Info.plist entries=14
TeamIdentifier=not set
Runtime Version=15.2.0
Sealed Resources version=2 rules=13 files=2
Nested=MacOS/test_binary
Internal requirements count=1 size=96

after searching the web a bit regarding this it indicated looking at issues during signing, As i did not get any errors at signing itself I continued looking and then stumbled on this post electron/osx-sign#131.

This peaked my interest as we have some internal tools we also codesign and notarize where we updated the certificates our keychain to always be trusted for codesigning and timestamping as you can see in the screenshot below.
image

It seemed odd that this could cause any issues, but it was worth a try. And yes for some reason this resolved the issue with notarization.

For reference this is the command we use for one of our tools. I think the main difference here it that it selects a specific keychain database to use and serach for the certificate. This is the user's own keychain, while the certificate is also present in the System keychain database.

codesign -f --timestamp --entitlements entitlements.plist --sign "Developer ID Application" --options runtime --keychain $HOME/Library/Keychains/login.keychain-db $BINARY_NAME

Al tough the issue is resolved for me specifically I think it would be beneficial to know why this is occurring. And maybe add to the documentation this specific case under a FAQ section maybe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: needs triage This issue needs to triage, applied to new issues type: bug
Projects
None yet
Development

No branches or pull requests

1 participant