Re: [gtk-osx-users] CodeSigning and Catalina security issue.

From: John Ralls <jralls ceridwen us>
To: Pascal <p p14 orange fr>
Cc: gtk-osx-users-list gnome org
Subject: Re: [gtk-osx-users] CodeSigning and Catalina security issue.
Date: Thu, 20 Feb 2020 09:58:20 -0800

On Feb 20, 2020, at 12:15 AM, Pascal <p p14 orange fr> wrote:

Hello John,

Le 14 févr. 2020 à 23:19, John Ralls <jralls ceridwen us> a écrit :

On Feb 14, 2020, at 12:56 PM, Pascal <p p14 orange fr> wrote:

Hello John,

Le 14 févr. 2020 à 21:40, John Ralls <jralls ceridwen us> a écrit :

On Feb 14, 2020, at 12:16 PM, Pascal <p p14 orange fr> wrote:

Hello,

I've now codesign my GTK-OSX app for the bundle:
% APPLICATION_CERT=gtk-cert /opt/gtk-mac-bundler/gtk-mac-bundler /opt/chapitre6/gtk3-ch6.bundle 

But I've still the issue for opening the Documents folder:
<Capture d’écran 2020-02-14 à 21.08.36.png>

What else would I have to do?
Any clue?


It works OK when unsigned but is sandboxed when signed?


Both gave the same opening error. I hoped the error would have disappeared when signing but it was not 
the case.


No, code signing isn't going to change anything. Does it matter if you launch it from Terminal with 
/opt/Gtk3-ch6cs.app/Contents/MacOS/Gtk3-ch6cs


== Access to Documents folder is allowed. (I guess the autorisation is coming from the Terminal itself).

or
open /opt/Gtk3-ch6cs.app


== Access to Documents folder is forbidden.

There might be some useful output especially in the first case.

Is gtk-cert an Apple developer cert? Don't try to use anything else on MacOS, Apple's security stuff 
recognizes only their own certificates.


I created the certificate with KeyChain app, as the following link description but I created it in 
session and not system keychain:
https://gcc.gnu.org/onlinedocs/gnat_ugn/Codesigning-the-Debugger.html


That won't do you any good if you're planning to distribute app bundles. Only Apple Developer Program 
certificates are accepted by MacOS's Gatekeeper, and for Catalina you also have to get the bundle 
notarized and that has the same restriction on certificates.


For now, I try with a local certificate like a sort of PoC.


Alexy Samurkov figured this out in https://gitlab.gnome.org/GNOME/gimp/issues/3710. The fix is to not use a 
launcher script because it inherits the restricted privileges of an unauthenticated run of /bin/sh.

For the demo program you might see if you can set enough of the environment in Info.plis using 
https://developer.apple.com/documentation/bundleresources/information_property_list/lsenvironment to get it 
to run. For your actual program the easiest solution is to rewrite your launcher in python and put it in 
Resources, compile python-launcher.c and use the result as the main-binary.

Regards,
John Ralls

Follow-Ups:
- Re: [gtk-osx-users] CodeSigning and Catalina security issue.
  - From: Gabriele Greco

References:
- [gtk-osx-users] CodeSigning and Catalina security issue.
  - From: Pascal
- Re: [gtk-osx-users] CodeSigning and Catalina security issue.
  - From: John Ralls
- Re: [gtk-osx-users] CodeSigning and Catalina security issue.
  - From: Pascal
- Re: [gtk-osx-users] CodeSigning and Catalina security issue.
  - From: John Ralls
- Re: [gtk-osx-users] CodeSigning and Catalina security issue.
  - From: Pascal

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]