[HOLD] GIMP/OSX - attempt to pass notarization
Overview
Starting from OSX 10.14 apple supports app notarization.
Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.
This ticket will collect all actions needed to pass notarization for the GIMP/OSX releases as well as possible blockers
Current status
-
GIMP CI Package is signed with a GNOME key and passing GateKeeper -
Initial submission of the package was done using altool
package:RequestUUID: 3cece058-37e6-4907-b33f-529591c08250 Date: 2018-11-27 20:52:37 +0000 Status: invalid LogFileURL: <url> Status Code: 2 Status Message: Package Invalid
-
issues from the logs are resolved and notarization is passed -
issue with broken debug handler resolved -
notarized app is published on the gimp.org website
Issues found
During initial submissions 2 types of issues were found.
The executable does not have the hardened runtime enabled (resolved)
This is relatively easy to fix (by adding --options runtime
) to codesign tool, but will require some additional work:
-
all mach-o binaries and dylibs needs to be signed separately using codesign because with hardened runtime we can load only signed apps.
codesign -s <signature> --deep
is not enough as it is not signing binaries insideContents/Resources
folder.- will it be possible to run 3rd-party plugins this way if they signed by another developer?
- can user disable hardened runtime if he wants to?
-
LLDB is not working with hardened runtime. We are using lldb to get traces in case of crash. By default apps using hardened runtime cannot be debugged. There are some xcode
--entitlements
(we needget-task-allow
) switch to whitelist debugging permission. But it is unclear if such binary will pass notarization and needs to be checked.According to Apple: Not include the com.apple.security.get-task-allow entitlement with the value set to any variation of true. This could be a blocker.
The binary is not signed (resolved)
This apply only Mach-O binaries in the GIMP-2.10.app/Contents/Resources/lib/
which needs to be signed by codesign separately. This should be integrated to the build process.
The executable requests the com.apple.security.get-task-allow entitlement.
After enabling hardening runtime we are getting this message. We can pass notarization if com.apple.security.get-task-allow
is not enabled but this will kill lldb crash dumps functionality in case of crash. TBD with Apple.