Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing Is Failing for P12 With Chain File #16

Closed
sheldonhull opened this issue Dec 7, 2022 · 7 comments · Fixed by #34
Closed

Signing Is Failing for P12 With Chain File #16

sheldonhull opened this issue Dec 7, 2022 · 7 comments · Fixed by #34
Assignees
@wagoodman
Labels
bug Something isn't working

Comments

@sheldonhull
Copy link

What Happened

I'm trying to work through the signing process with a developer id application cert (p12).
I've followed the directions and am not able to get notarization to correctly work.

The signing continues without error, but upon notarization I get a few errors.

How to reproduce it (as minimally and precisely as possible):

  • When testing against my binary (produced by goreleaser), this command: codesign -vvv --deep --strict $artifact returns CSSMERR_TP_NOT_TRUSTED In architecture: x86_64.
  • spctl -vvv --assess --type exec $artifact returns CSSMERR_TP_NOT_TRUSTED.

The notarization attempt responds with 2 errors in the json response:

"issues": [
    {
      "severity": "error",
      "code": null,
      "path": "myapp-darwin-amd64",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "myapp-darwin-amd64",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "x86_64"
    }
  ]
  • Running quill describe against my original and -with-chain p12 file: * unable to parse single-arch binary: unable to parse macho formatted file with blacktop: invalid magic number in record at byte 0x0.

Other Troubleshooting Steps I've Taken

  • Validated apple CA/WWWDR/timestamp certs are installed.
  • Validated the trust settings are set to Defaults, not overridden to Always Trust.
  • Confirmed from docs the Developer ID cert is the correct type for signing binaries such as CLI tools.

Summary

I've gotten quill to mark the file as signed with a non-apple developer cert (pfx/p12), but what I understand is that for mac Gatekeeper to allowlist the app I need to use only an Apple cert. I've iterated on this for days and not sure where else to go with it.

Troubleshooting Script in Progress

export QUILL_P12_PASSWORD=''
export QUILL_SIGN_PASSWORD=${QUILL_P12_PASSWORD}

export P12_APP=pathtodeveloperid-application-cert.p12
export P12_WITH_CHAIN=pathtodeveloperid-application-cert-with-chain.p12
export QUILL_SIGN_P12=$P12_WITH_CHAIN

# ensure full chain is attached for the sign/notarization process via quill
quill p12 attach-chain $P12_APP


quill sign-and-notarize --p12 $P12_WITH_CHAIN \
    --notary-key-id 'notarykeyid' \
    --notary-key 'pathtoAuthKey_zzzzzzz.p8' \
    --notary-issuer 'guidplacedhere' \
    $artifact

# Tried explicit timestamp add and no difference, so removed.
# --timestamp-server 'http://timestamp.apple.com/ts01' \

# other follow-up commands I've used. 
security find-identity
codesign -vvv --deep --strict $artifact
spctl -vvv --assess --type exec $artifact
@sheldonhull sheldonhull added the bug Something isn't working label Dec 7, 2022
@wagoodman
Copy link
Contributor

wagoodman commented Dec 7, 2022
edited
Loading

@sheldonhull thanks for reporting --and great info! Can you additionally post your goreleaser file (or at least a sanitized version of it), this would give me a better idea of the kind of binary that was generated to help replicate on my end. In the meantime I'll take a closer look with what you posted and try to get this replicated.

@sheldonhull
Copy link
Author

sheldonhull commented Dec 8, 2022
edited
Loading

@sheldonhull thanks for reporting --and great info! Can you additionally post your goreleaser file (or at least a sanitized version of it), this would give me a better idea of the kind of binary that was generated to help replicate on my end. In the meantime I'll take a closer look with what you posted and try to get this replicated.

Here you go, https://github.com/DelineaXPM/dsv-cli

NOTE open pr. That branch is the one you'd be best to use as it's the most updated goreleaser file.

DelineaXPM/dsv-cli#28

The project also is fully self setup with devcontainer so feel free to pop it open in that if you like. 💪

It's a public repo. Mage tasks are included and goreleaser config if you want to run it locally and see what you get with your own certs.

I appreciate any help! Love this project. I want a windows one now cause it has me spoiled. 😆

@sheldonhull
Copy link
Author

@wagoodman bump. Just making sure the response was seen. Not urgent but would like to know if anything I can do to resolve someday. Cheers!

@wagoodman
Copy link
Contributor

Thanks for the info, though I'm surprised I'm no closer to figuring this out --I've tried a couple different approaches so far to try and reproduce the issue locally without success yet.

I'm starting to wonder if it's something unique about the certificate material itself, but I can't think of what that might be.

@wagoodman
Copy link
Contributor

@sheldonhull do you want to connect in the anchore community slack to troubleshoot in realtime / coordinate a session?

@jessesuen
Copy link

jessesuen commented Apr 4, 2023
edited
Loading

I struggled with these two errors myself, but figured out a solution. Posting it here in case it helps others.

I noticed when running quill p12 attach-chain with QUILL_LOG_LEVEL=debug, it kept outputting the following warning:

[0000]  WARN only found one certificate, no way to verify it (you need to provide a full certificate chain)

And my signed binaries kept failing notarization with the same two errors:

  • The signature of the binary is invalid
  • The signature does not include a secure timestamp.

In Keychain Access, I saw that there was an extra "Developer ID Certification Authority" (the issuer of my Developer ID Application cert) in my "System" keychain, which was missing from my "System Roots".

image

I don't recall if I had manually installed that cert from https://www.apple.com/certificateauthority/ (I was trying many things).

Quill will default to /System/Library/Keychains/SystemRootCertificates.keychain. So I changed the --keychain-path argument to /Library/Keychains/System.keychain. i.e.:

quill p12 attach-chain --keychain-path /Library/Keychains/System.keychain ./mycertificates.p12

The warning disappeared and I was able to sign/notarize my binary.

@jessesuen
Copy link

Note, a lot of headache probably would have been avoided if #8 was implemented and root/intermediate certs were baked into the quill binary.

@wagoodman wagoodman mentioned this issue Apr 8, 2023
Merged
4 tasks
@wagoodman wagoodman added this to OSS Apr 8, 2023
@wagoodman wagoodman self-assigned this Apr 8, 2023
@wagoodman wagoodman moved this to In Progress in OSS Apr 8, 2023
@wagoodman wagoodman moved this from In Progress to In Review in OSS Apr 11, 2023
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Apr 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wagoodman wagoodman

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Embed Apple root and intermediate certificates into quill binary anchore/quill
3 participants
@wagoodman @sheldonhull @jessesuen