Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Instructions for producing a signed app #64

Open
isoboroff opened this issue Jan 13, 2022 · 6 comments
Open

Instructions for producing a signed app #64

isoboroff opened this issue Jan 13, 2022 · 6 comments

Comments

@isoboroff
Copy link

The README says that code sign instructions are coming soon. Even a pointer to what you have to set up and pass to the go run ./cmd/emacs-builder package would be great!

I'm building on an M1 machine, otherwise I would slack off and use the Homebrew cask.

@jimeh
Copy link
Owner

jimeh commented Jan 13, 2022

Apologies, I haven't gotten around to properly documenting it. It's a bit involved, but below are some very brief instructions that hopefully will help.

First, you'll need a paid for Apple Developer account, with a application signing key available on your machine, and then set a few environment variables to relevant values, and run the emacsbuilder package command with the --sign flag.

You can view the help info for the package command by running go run ./cmd/emacs-builder package --help. The environment variables needed are AC_USERNAME, AC_PASSWORD, AC_PROVIDER, and AC_SIGN_IDENTITY. The help output has a brief description of each.

Then you should be able to sign, package and notarize a folder containing a Emacs.app bundle to a *.dmg by running:

go run ./cmd/emacs-builder package --sign /path/to/folder

If it helps, the relevant part in my GitHub Actions setup for nightly builds is here. The only thing the package command pulls out of the passed in build-plan.yml file is the source directory to package.

@isoboroff
Copy link
Author

Thanks. The symptom is that the app won't launch, and I get a crash report SIGKILL (Code Signature Invalid), so I can't even allow the app in the security and privacy settings.

@jimeh
Copy link
Owner

jimeh commented Jan 13, 2022

Right, yeah. It seems M1 machines refuse to run unsigned code altogether. On Intel-based Macs it seems to be aware of what binaries were built locally, so they're automatically trusted.

I don't have a M1 machine myself yet though, so my knowledge is mostly second hand right now.

@isoboroff
Copy link
Author

isoboroff commented Jan 13, 2022

Indeed running Contents/MacOS/bin/emacs from the command line also gets killed. However, a hand-coded hello-world.c compiled with /usr/bin/gcc works ok.

This article has a nice explanation: https://eclecticlight.co/2021/01/26/when-you-dont-have-permission-to-run-an-app-on-an-m1-mac/. And links to another of the author's articles with a solution, https://eclecticlight.co/2019/01/17/code-signing-for-the-concerned-3-signing-an-app/. If you do this:

    codesign --force --deep -s - Emacs.app

it will launch.

@ccqpein
Copy link

ccqpein commented Jan 28, 2023

@isoboroff @jimeh I just met the same issue yesterday, and I use the same command to fix the issue. Instead of manually codesigning the .app, is it possible that the script signs it for us?

@jimeh
Copy link
Owner

jimeh commented Nov 5, 2023

I had not realized ad-hoc signing without any paid developer certificates was possible. I'll have a look at automatically doing that on non-Intel Macs when I finally get an Apple Silicon machine later this month.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants