Issue with new v1.6.1-1 prerelease

[xor-gate]

Hi @calmh I have an issue with the new prerelease build from v1.4.2-1 git commit hash 3463cb3 located in TeamCity here.

Is there something wrong with the developer key?

[xor-gate]

I tried to reinstall the old https://github.com/syncthing/syncthing-macos/releases/tag/v1.0.0-2 release and it works fine without this error.

[imsodin]

Apple made notarization mandatory since the last release and a quick search/look didn't turn anything up that looks like doing notarization in syncthing-macos (aka searching for notari doesn't give results :) ). See https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

[calmh]

It's a conundrum. Like many things in the Apple build ecosystem it's not trivial to automate. I have a script I run manually (when I remember, which I didn't for 1.4.2) to notarize the regular Syncthing binary after we release it.

[calmh]

And even then there's nonsense like this

2020-04-17 15:26:13.902 altool[34909:6901889] *** Error: Unable to notarize app.
2020-04-17 15:26:13.902 altool[34909:6901889] *** Error: code 1048 (You must first sign the relevant contracts online. (1048))

every time, even though I just signed the new contracts, and there are new contracts every few weeks 😬

[xor-gate]

Oohw boy, you dance with the devil.

[calmh]

Oh, the best thing is that when the notarization upload actually works, the tool just thanks you for the upload. Then at some later point you get the success/failure of the notarization process in an email. Excellent for integrating into a build pipeline.

[calmh]

Then you get an email like this, and have to run another tool with the guid to get the reason why it failed, which will likely be something meaningless as well

[calmh]

In this case, specifically,

          Date: 2020-04-17 13:33:38 +0000
          Hash: 5b2d743dcbc09044d95ef4eccb182bc11f95efdd03bbbf01b68ea77f585bdcbf
    LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma113/v4/81/cb/1a/81cb1adf-29b1-af25-a596-c11816113ee4/developer_log.json?accessKey=1587325082_3954166839147991973_ctuoSbs4eJk2rq3BpULmpRVC3auTPTy3VLy3fyrfRINDOb8lbTZbiDPZrVZuwV%2FncJK3k2GtiPa%2BVi8bzd73VUXjVZBERZ6z7iDFNt5g9qhwv4O2B8fRCU0nYkfM9s0FUB320LIO3QDVkZb5dsOQacYoZlb8ipoZSYs6SzlDgEA%3D
   RequestUUID: 3af12861-9645-4a41-b385-d3bbc642b15c
        Status: invalid
   Status Code: 2
Status Message: Package Invalid

Ah. "Package Invalid". I see. 😠

[calmh]

"message": "The executable does not have the hardened runtime enabled.",

I think that means we need a newer Go (1.14). Whether you then also need to do some magic here I don’t know.

[xor-gate]

Can we try to compile 1.5.0 syncthing with a correctly signed cert and see if we can get it working? When the release is ready of course.

[xor-gate]

Now v1.5.0 is released can you have a look to upgrade to go 1.14 for macOS ? I still get the same error but then with the latest v1.5.0 so i'm unable to resolve #113.

[calmh]

Go 1.14 didn't change this situation, at least not by itself. I'm upgrading the builder to catalina and newer xcode to see what happens.

[imsodin]

Go itself should be "compatible" since 1.13.5: golang/go#35748

[calmh]

Yeah so we're hitting something else then, maybe our linker flags or some other oddness.

"issues": [
    {
      "severity": "error",
      "code": null,
      "path": "syncthing-macos-amd64-v1.6.0-rc.1.zip/syncthing-macos-amd64-v1.6.0-rc.1/syncthing",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]

(Go 1.14.2)

[calmh]

Figured it out, it needs to be enabled at code signing time as well. So 1.6.0-rc.1 and newer will be notarized.

[calmh]

So Syncthing itself is now notarized, so I expect this is fine? It should be possible to do a release with an updated binary?

[calmh]

I fixed the DMG build for Catalina, but the app doesn't notarize very well regardless: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma123/v4/29/34/a5/2934a52d-e1f1-8589-b460-ae93de075f9c/developer_log.json?accessKey=1591361341_1785601510916194979_dQSsDjOSH3ciNP%2BFdg0CJ0CtJeH2LB3X%2FXw9lG8Lwf7oNf23xxRojOqSjLbfmf%2F7nxKY9Vsdc8f4SJGKGsohiW1uRr70XHMSsCWXpz2NsbiSFwtySSG6150LjQPNy8vI8MJY55Utm%2FTAJZR2K%2FoLemD8WlPkqWDIxxv8m4YG9k0%3D

Many things are unsigned or not hardened, which I guess is a question of enabling the appropriate things in the project? (Ignoring the syncthing binary itself since that build still points at 1.5.0.)

[xor-gate]

I have created a PR to update to 1.6.1 but still the same problem. The build is located here:
https://build.syncthing.net/viewLog.html?buildTypeId=SyncthingMacOS_BuildReleaseDmg&buildId=67429&branch_SyncthingMacOS=release%2F1.6.1-1

[calmh]

What is "the same problem" exactly?

[calmh]

Syncthing itself is signed, hardened and notarized. However the other binaries in the package lack signing or hardening: notarization log for the 1.6.1-1 build

[xor-gate]

Application doesn't start, same as before:

[calmh]

Right, because it's not notarized, because see above.

[xor-gate]

I think we are hitting two related issues:

• App Notarization: Enable Hardened Runtime in Helper sindresorhus/LaunchAtLogin-Legacy#20
• Hardened Runtime is not enabled for Sparkle. macOS Mojave sparkle-project/Sparkle#1266
  It seems for most people the codesign --deep solves te problem

[xor-gate]

Seems we already do deep codesign, but the hardened is not enabled for sparkle probably. No direct clue how to enable it.

syncthing-macos/syncthing/Scripts/create-dmg.sh

Line 42 in c52d8d6

codesign --force --deep --sign "${SELECTED_IDENTITY}" "${STAGING_APP}"

[xor-gate]

Seems there are some problems with the dmg:

• Download latest release from teamcity
• Install to Downloads folder
• Run codesign -vvv --deep --strict ~/Downloads/syncthing.app

--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftObjectiveC.dylib
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftCore.dylib
/Users/jerry/Downloads/syncthing.app: resource fork, Finder information, or similar detritus not allowed
In subcomponent: /Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftCore.dylib

• Executing xattr -cr ~/Downloads/Syncthing.app
• Then the application can be opened
• Run codesign check again

codesign -vvv --deep --strict ~/Downloads/syncthing.app
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftCoreGraphics.dylib
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftCoreGraphics.dylib
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftObjectiveC.dylib
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftObjectiveC.dylib
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftCore.dylib
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftCore.dylib
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftCoreFoundation.dylib
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftCoreFoundation.dylib
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftDispatch.dylib
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftDispatch.dylib
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftIOKit.dylib
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftIOKit.dylib
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftDarwin.dylib
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftDarwin.dylib
--prepared:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftFoundation.dylib
--validated:/Users/jerry/Downloads/Syncthing.app/Contents/Frameworks/libswiftFoundation.dylib
/Users/jerry/Downloads/syncthing.app: valid on disk
/Users/jerry/Downloads/syncthing.app: satisfies its Designated Requirement

[xor-gate]

Apple has the error documented: https://developer.apple.com/library/archive/qa/qa1940/_index.html

[xor-gate]

Seems the dmg app bundle is correct after some investigation. Only when copy it gets the quarantine attribute:

xattr -lr /Applications/Syncthing.app
/Applications/Syncthing.app: com.apple.quarantine: 0181;5ed7b971;Chrome;52919DD0-D83C-4501-A154-2CFBED6A439A

[calmh]

Just the sparkle stuff left

[xor-gate]

• I have added codesign for the sparkle stuff according to App Notarize cannot be done because "Hardened Runtime" is disabled in Autoupdate.app  sparkle-project/Sparkle#1389 (comment)
• Try notarize artifact https://build.syncthing.net/viewLog.html?buildId=67486&buildTypeId=SyncthingMacOS_BuildReleaseDmg&tab=artifacts

[calmh]

[xor-gate]

It works!

[xor-gate]

@calmh I found a nice tool to check if an app is correct:
https://eclecticlight.co/2019/05/31/can-you-tell-whether-code-has-been-notarized/
https://eclecticlight.co/taccy-signet-precize-alifix-utiutility-alisma/