Mac signature no longer accepted

[k9ert]

Starting the signed binary like this:

(.env) ➜  specter-desktop git:(kn/mac_signing) ✗ ./pyinstaller/electron/dist/mac-arm64/Specter.app/Contents/MacOS/Specter
[1]    45152 killed     ./pyinstaller/electron/dist/mac-arm64/Specter.app/Contents/MacOS/Specter
(.env) ➜  specter-desktop git:(kn/mac_signing) ✗

So the executable will get killed immediately and you'll see something like this in the logs:

Disallowing solutions.specter.desktop because no eligible provisioning profiles found

It seems that we need a provisioning profile. However, Apple is not mentioning that at it's documentation. There, only signing and notarizing is mentioned.

validating signatures

Is the signature of that binary even valid? A prerequisite for notarizing is that you sign your software with your developer key.

The signature can be checked like this:

➜  specter-desktop git:(kn/mac_signing) ✗ pkgutil --check-signature ./pyinstaller/electron/dist/mac-arm64/Specter.app
Package "Specter":
   Status: signed by a certificate trusted by macOS
   Certificate Chain:
    1. Developer ID Application: Kim Neunert (FWV59JHV83)
       Expires: 2026-09-11 11:59:39 +0000
       SHA256 Fingerprint:
           06 C7 63 8C 92 5B DD 60 79 8C B1 B0 30 8D B7 98 2C 99 8E F3 33 87 
           A0 BD 03 1B 35 C5 3D 53 3C 3D
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24

➜  specter-desktop git:(kn/mac_signing) ✗ 

Validating notarisation status

Is the software properly notarised?

yes, i think so:

➜  specter-desktop git:(kn/mac_signing) ✗ spctl --assess --verbose --type execute  ./pyinstaller/electron/dist/mac-arm64/Specter.app

./pyinstaller/electron/dist/mac-arm64/Specter.app: accepted
source=Notarized Developer ID

➜  specter-desktop git:(kn/mac_signing) ✗ 

additional context and further references:

• https://developer.apple.com/videos/play/wwdc2019/703/ (30 min video "all about notarisation")

Did it ever worked?

Yes, it did. The original notarisation-process was built on "altool".
However, for some reason, binaries which got signed with that process started to crash.

I've created an issue at apple

DESCRIPTION OF PROBLEM The DMG can be downloaded here: https://github.com/cryptoadvance/specter-desktop/releases/tag/v2.0.2-pre4

After installing it and starting it, it results in:

-------------------------------------
Translated Report (Full Report Below)
-------------------------------------

Incident Identifier: 098A5E69-E3A3-4FAC-BB70-4A85FD2E9C36
CrashReporter Key: 0ECE6060-D469-9FCA-090A-DFE686CA0C88
Hardware Model: Mac14,9
Process: Specter [25891]
Path: /Applications/Specter.app/Contents/MacOS/Specter
Identifier: solutions.specter.desktop
Version: 2.0.2-pre4 (2.0.2-pre4)
Code Type: X86-64 (Native)
Role: Default
Parent Process: launchd [1]
Coalition: solutions.specter.desktop [58761]

Date/Time: 2023-06-28 13:57:30.0009 +0200
Launch Time: 2023-06-28 13:57:29.6777 +0200
OS Version: macOS 13.4 (22F66)
Release Type: User
Report Version: 104

Exception Type: EXC_CR

However at the time of signing, i got this jso-result back:

{
"tool-version": "4.029.1194",
"tool-path": "/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework",
"success-message": "No errors getting notarization info.",
"notarization-info": {
"Status": "success",
"Status Message": "Package Approved",
"LogFileURL": "https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma116/v4/cc/ad/78/ccad781b-b1c4-7e4e-5f47-b2644f10e033/developer_log.json?accessKey=1688143920_4653658224769771469_dq5gv5qwSSLx%2F2%2Ft%2Bm946O%2B8jMVwX6msaTG2K83jgC4Mq%2BV%2FMw4m1F8FWhIPW%2FaO74vciaNYHdFf4XrawBdbU3GdmInRzdnqiIr%2BVZlZfSS6iI5gEVLNxDv6yLe5sf93TtVV13onU5N%2BLe5vT9M6OHwOAkmucHoHgemf%2BdxdXa4%3D",
"Date": "2023-06-28T12:48:53.000Z",
"RequestUUID": "97a93c1b-4806-4eb3-baa0-f185676ea0b1",
"Status Code": 0,
"Hash": "2240c7e15926eed5e1826f036359e81b50f9ded91d2589620cdbb81c1e853e91"
},
"os-version": "10.15.7"
}

The script which is building the whole app can be found here:
https://github.com/cryptoadvance/specter-desktop/blob/master/utils/build-osx.sh

The relevant part which doing the signing is here:
https://github.com/cryptoadvance/specter-desktop/blob/master/utils/build-common.sh#L115-L168

STEPS TO REPRODUCE
Download the dmg from above link, install and start.

NAME AND APPLE ID OF APP
specter-desktop

The answer from apple was not very precise.

unfold

Thank you for contacting Apple Developer Technical Support (DTS).

Based on your request, we believe that your question is answered by the Apple Developer Forums discussion linked here:

Resolving Trusted Execution Problems
https://developer.apple.com/forums/thread/706442

If after reviewing this information you have further questions or persistent issues, and do not wish to follow up on the Developer Forums, please reply to this email and we will re-open this support inquiry, re-debiting a Technical Support Incident (TSI) if appropriate to do so.

After some digging, i decided to migrate from altool to notarytool and the result is the errormessage at the top of this ticket.

Understanding Provisiong Profiles

Just for the reference, some information about provisioning profiles.
here are different profiles explained.
For our use-case, it seems that the AdHoc profile might be the way to go.

ChatGPT spits out those references:

Development Provisioning Profile:

Apple Developer Documentation: https://developer.apple.com/documentation/xcode/understanding-and-creating-provisioning-profiles
Ad Hoc Provisioning Profile:

Apple Developer Documentation: https://developer.apple.com/documentation/xcode/distributing-your-app-for-beta-testing
Distribution Provisioning Profile:

Apple Developer Documentation: https://developer.apple.com/documentation/appstoreconnectapi/profiles

Relevant information nuggets:

• https://www.youtube.com/watch?v=Ys2p5bFhgjI

[k9ert]

I have some intermediate result. Several issues got mixed here:

• It seems that there is something like a "entitlement threshold". In our case, we added a URI-Handler (specter://...) to the entitlements. So removing it fixed the issue on the old intel based machine. This makes sense to me even without finding a documentation describing it.
• However it now crashes on the M2 machine which is unfortunate as all modern machines are no longer intel based.

So at least we can release again. We'll pick up the URL-Handler later and also the crash on M2.