From 870f35254f080fe55216088dcbe46fa4ca225cfb Mon Sep 17 00:00:00 2001 From: liadomide Date: Tue, 18 Jul 2023 19:13:46 +0300 Subject: [PATCH 01/20] TVB-2417 Sign .app after generation --- tvb_build/conda_env_to_app.py | 86 +++++++++++++++++++++++++++-------- 1 file changed, 68 insertions(+), 18 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 3a351fdaa9..96b35cbe40 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -25,6 +25,7 @@ # """ +.. moduleauthor:: Lia Domide .. moduleauthor:: Bogdan Valean """ @@ -56,8 +57,8 @@ VERSION = TvbProfile.current.version.BASE_VERSION # Name of the app APP_NAME = "tvb-{}".format(VERSION) -# The website in reversered order (domain first, etc.) -IDENTIFIER = "org.thevirtualbrain" +# should match an Apple Developer defined identifier +IDENTIFIER = "ro.codemart.tvb" # The author of this package AUTHOR = "TVB Team" # Full path to the anaconda environment folder to package @@ -90,6 +91,8 @@ # Path to the icon of the app ICON_PATH = os.path.join(TVB_ROOT, "tvb_build", "icon.icns") +# Absolute path towards TVB license file, to be included in the .app +LICENSE_PATH = os.path.join(TVB_ROOT, "LICENSE") # The entry script of the application in the environment's bin folder ENTRY_SCRIPT = "-m tvb_bin.app" # Folder to place created APP and DMG in. @@ -157,7 +160,7 @@ def extra(): - fix_paths() + _fix_paths() def _find_and_replace(path, search, replace, exclusions=None): @@ -207,7 +210,7 @@ def _find_and_replace(path, search, replace, exclusions=None): stream.nextfile() -def replace_conda_abs_paths(): +def _replace_conda_abs_paths(): app_path = os.path.join(os.path.sep, 'Applications', APP_NAME + '.app', 'Contents', 'Resources') print('Replacing occurences of {} with {}'.format(CONDA_ENV_PATH, app_path)) _find_and_replace( @@ -219,8 +222,8 @@ def replace_conda_abs_paths(): def create_app(): - print("Output Dir {}".format(OUTPUT_FOLDER)) """ Create an app bundle """ + print("Output Dir {}".format(OUTPUT_FOLDER)) if os.path.exists(APP_FILE): shutil.rmtree(APP_FILE) @@ -228,11 +231,11 @@ def create_app(): print("\n++++++++++++++++++++++++ Creating APP +++++++++++++++++++++++++++") start_t = time.time() - create_app_structure() - copy_anaconda_env() + _create_app_structure() + _copy_anaconda_env() if ICON_FILE: - copy_icon() - create_plist() + _copy_icon_and_license() + _create_plist() # Do some package specific stuff, which is defined in the extra() function # in settings.py (and was imported at the top of this module) @@ -240,12 +243,14 @@ def create_app(): print("Performing application specific actions.") extra() - replace_conda_abs_paths() + _replace_conda_abs_paths() print("============ APP CREATION FINISHED in {} seconds ====================".format(int(time.time() - start_t))) + _sign_app() -def create_app_structure(): + +def _create_app_structure(): """ Create folder structure comprising a Mac app """ print("Creating app structure") try: @@ -272,7 +277,7 @@ def create_app_structure(): stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH) -def copy_anaconda_env(): +def _copy_anaconda_env(): """ Copy anaconda environment """ print("Copying Anaconda environment (this may take a while)") try: @@ -310,7 +315,7 @@ def copy_anaconda_env(): logger.error("WARNING: could not delete {}".format(item)) -def copy_icon(): +def _copy_icon_and_license(): """ Copy icon to Resources folder """ global ICON_PATH print("Copying icon file") @@ -319,8 +324,18 @@ def copy_icon(): except OSError as e: logger("Error copying icon file from: {}".format(ICON_PATH)) + global LICENSE_PATH + print("Copying license file") + try: + unnecessary_file = os.path.join(RESOURCE_DIR, "LICENSE.txt") + if os.path.exists(unnecessary_file): + os.remove(unnecessary_file) + shutil.copy(LICENSE_PATH, RESOURCE_DIR) + except OSError as e: + logger("Error copying license file from: {}".format(LICENSE_PATH)) + -def create_plist(): +def _create_plist(): print("Creating Info.plist") global ICON_FILE @@ -341,7 +356,7 @@ def create_plist(): 'CFBundlePackageType': 'APPL', 'CFBundleVersion': LONG_VERSION, 'CFBundleShortVersionString': VERSION, - 'CFBundleSignature': '????', + 'CFBundleSignature': '????', # ok not to be setup 'LSMinimumSystemVersion': '10.7.0', 'LSUIElement': False, 'NSAppTransportSecurity': {'NSAllowsArbitraryLoads': True}, @@ -366,6 +381,41 @@ def create_plist(): plistlib.dump(info_plist_data, fp) +def _sign_app(app_path=APP_FILE, dev_identity="45B62762F61B4B4544A125C0EC9CE9D562B25942"): + """ + Sign a .APP file, with an Apple Developer Identity previously installed on the current machine. + The identity needs to show when executing command "security find-identity" + """ + print(f"Preparing to sign: {app_path} with {dev_identity}") + # Create app.entitlements file with the application allowed security allowed points + ent_file = "app.entitlements" + if os.path.exists(ent_file): + os.remove(ent_file) + with open(ent_file, 'w') as fp: + fp.write(""" + + + + + com.apple.security.app-sandbox + + com.apple.security.network.client + + com.apple.security.network.server + + + + """) + + # Uncomment the following 2 commands if needed for debug purposes + # subprocess.Popen(["security", "find-identity"], shell=False).communicate() + subprocess.Popen(["codesign", "-s", dev_identity, "-f", "--timestamp", "-o", "runtime", "--entitlements", "app.entitlements", app_path], shell=False).communicate() + # subprocess.Popen(["spctl", "-a", "-t", "exec", "-vv", app_path], shell=False).communicate() + + if os.path.exists(ent_file): + os.remove(ent_file) + + def create_dmg(): """ Create a dmg of the app """ @@ -411,7 +461,7 @@ def create_dmg(): dmg_config['icon_locations'] = DMG_ICON_LOCATIONS dmg_config['window_rect'] = DMG_WINDOW_RECT - write_vars_to_file(dmgbuild_config_file, dmg_config) + _write_vars_to_file(dmgbuild_config_file, dmg_config) print("Copying files to DMG and compressing it. Please wait.") dmgbuild.build_dmg(dmg_file, APP_NAME, settings_file=dmgbuild_config_file) @@ -419,7 +469,7 @@ def create_dmg(): os.remove(dmgbuild_config_file) -def write_vars_to_file(file_path, var_dict): +def _write_vars_to_file(file_path, var_dict): with open(file_path, 'w') as fp: fp.write("# -*- coding: utf-8 -*-\n") fp.write("from __future__ import unicode_literals\n\n") @@ -431,7 +481,7 @@ def write_vars_to_file(file_path, var_dict): fp.write('{} = {}\n'.format(var, value)) -def fix_paths(): +def _fix_paths(): kernel_json = os.path.join( RESOURCE_DIR, 'share', 'jupyter', 'kernels', 'python3', 'kernel.json') if os.path.exists(kernel_json): From 02deae4d0e15912afefcdfd5ee4c1645c6ae7d27 Mon Sep 17 00:00:00 2001 From: liadomide Date: Tue, 18 Jul 2023 23:17:52 +0300 Subject: [PATCH 02/20] TVB-2417 Keep the signing identity in an env variable to be shielded --- tvb_build/conda_env_to_app.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 96b35cbe40..1bae756fcf 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -59,6 +59,8 @@ APP_NAME = "tvb-{}".format(VERSION) # should match an Apple Developer defined identifier IDENTIFIER = "ro.codemart.tvb" +# KEY for the ENV variable where we expect the signing identity to be defined +KEY_SIGN_IDENTITY = "SIGN_APP_IDENTITY" # The author of this package AUTHOR = "TVB Team" # Full path to the anaconda environment folder to package @@ -381,11 +383,14 @@ def _create_plist(): plistlib.dump(info_plist_data, fp) -def _sign_app(app_path=APP_FILE, dev_identity="45B62762F61B4B4544A125C0EC9CE9D562B25942"): +def _sign_app(app_path=APP_FILE): """ Sign a .APP file, with an Apple Developer Identity previously installed on the current machine. The identity needs to show when executing command "security find-identity" """ + if KEY_SIGN_IDENTITY not in os.environ: + print(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} variable is not in ENV defined!!") + dev_identity = os.environ.get(KEY_SIGN_IDENTITY) print(f"Preparing to sign: {app_path} with {dev_identity}") # Create app.entitlements file with the application allowed security allowed points ent_file = "app.entitlements" @@ -407,10 +412,10 @@ def _sign_app(app_path=APP_FILE, dev_identity="45B62762F61B4B4544A125C0EC9CE9D56 """) - # Uncomment the following 2 commands if needed for debug purposes + # Uncomment the following command if needed for debug purposes # subprocess.Popen(["security", "find-identity"], shell=False).communicate() subprocess.Popen(["codesign", "-s", dev_identity, "-f", "--timestamp", "-o", "runtime", "--entitlements", "app.entitlements", app_path], shell=False).communicate() - # subprocess.Popen(["spctl", "-a", "-t", "exec", "-vv", app_path], shell=False).communicate() + subprocess.Popen(["spctl", "-a", "-t", "exec", "-vv", app_path], shell=False).communicate() if os.path.exists(ent_file): os.remove(ent_file) From 3185e664dbac09bcd61b54df3142b980c2aa5b6d Mon Sep 17 00:00:00 2001 From: liadomide Date: Wed, 19 Jul 2023 13:27:24 +0300 Subject: [PATCH 03/20] TVB-2417 Add keychain unlock step --- tvb_build/conda_env_to_app.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 1bae756fcf..4a761360a8 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -59,8 +59,9 @@ APP_NAME = "tvb-{}".format(VERSION) # should match an Apple Developer defined identifier IDENTIFIER = "ro.codemart.tvb" -# KEY for the ENV variable where we expect the signing identity to be defined +# KEYs for the ENV variable where we expect the signing identity to be defined KEY_SIGN_IDENTITY = "SIGN_APP_IDENTITY" +KEY_MAC_PWD = "MAC_PASSWORD" # The author of this package AUTHOR = "TVB Team" # Full path to the anaconda environment folder to package @@ -388,9 +389,11 @@ def _sign_app(app_path=APP_FILE): Sign a .APP file, with an Apple Developer Identity previously installed on the current machine. The identity needs to show when executing command "security find-identity" """ - if KEY_SIGN_IDENTITY not in os.environ: - print(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} variable is not in ENV defined!!") + if KEY_SIGN_IDENTITY not in os.environ or KEY_MAC_PWD not in os.environ: + print(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} and " + f"{KEY_MAC_PWD} variables are not in ENV!!") dev_identity = os.environ.get(KEY_SIGN_IDENTITY) + mac_pwd = os.environ.get(KEY_MAC_PWD) print(f"Preparing to sign: {app_path} with {dev_identity}") # Create app.entitlements file with the application allowed security allowed points ent_file = "app.entitlements" @@ -412,9 +415,12 @@ def _sign_app(app_path=APP_FILE): """) - # Uncomment the following command if needed for debug purposes - # subprocess.Popen(["security", "find-identity"], shell=False).communicate() - subprocess.Popen(["codesign", "-s", dev_identity, "-f", "--timestamp", "-o", "runtime", "--entitlements", "app.entitlements", app_path], shell=False).communicate() + # Some of the following command are just for debug purposes. Codesign is the critical one! + subprocess.Popen(["security", "find-identity"], shell=False).communicate() + subprocess.Popen(["security", "unlock-keychain", "-p", mac_pwd, + "/Users/tvb/Library/Keychains/login.keychain"], shell=False).communicate() + subprocess.Popen(["codesign", "-s", dev_identity, "-f", "--timestamp", "-o", "runtime", + "--entitlements", "app.entitlements", app_path], shell=False).communicate() subprocess.Popen(["spctl", "-a", "-t", "exec", "-vv", app_path], shell=False).communicate() if os.path.exists(ent_file): From bc09a613709f11600326d333cb07fcadbb5eb254 Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 20 Jul 2023 20:29:30 +0300 Subject: [PATCH 04/20] TVB-2417 Use os.system to allow chain or commands --- tvb_build/conda_env_to_app.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 4a761360a8..50e37fe439 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -416,13 +416,11 @@ def _sign_app(app_path=APP_FILE): """) # Some of the following command are just for debug purposes. Codesign is the critical one! - subprocess.Popen(["security", "find-identity"], shell=False).communicate() - subprocess.Popen(["security", "unlock-keychain", "-p", mac_pwd, - "/Users/tvb/Library/Keychains/login.keychain"], shell=False).communicate() - subprocess.Popen(["codesign", "-s", dev_identity, "-f", "--timestamp", "-o", "runtime", - "--entitlements", "app.entitlements", app_path], shell=False).communicate() - subprocess.Popen(["spctl", "-a", "-t", "exec", "-vv", app_path], shell=False).communicate() - + command = f"security find-identity && " \ + f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain && " \ + f"codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements app.entitlements {app_path} && " \ + f"spctl -a -t exec -vv {app_path}" + os.system(command) if os.path.exists(ent_file): os.remove(ent_file) From 0377056f9238a87fe7e99c289bd741d6a92d3679 Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 20 Jul 2023 23:28:14 +0300 Subject: [PATCH 05/20] TVB-2417 Use os.system to allow chain of commands --- tvb_build/conda_env_to_app.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 50e37fe439..f846f946c1 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -418,8 +418,9 @@ def _sign_app(app_path=APP_FILE): # Some of the following command are just for debug purposes. Codesign is the critical one! command = f"security find-identity && " \ f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain && " \ - f"codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements app.entitlements {app_path} && " \ - f"spctl -a -t exec -vv {app_path}" + f"codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements app.entitlements '{app_path}' && " \ + f"spctl -a -t exec -vv '{app_path}'" + print(command) os.system(command) if os.path.exists(ent_file): os.remove(ent_file) From 6955d9075b0a2431a6828b2c275528eed481b5ef Mon Sep 17 00:00:00 2001 From: liadomide Date: Fri, 21 Jul 2023 10:46:51 +0300 Subject: [PATCH 06/20] TVB-2417 Only sign the .app after all sources are inside --- tvb_build/conda_env_to_app.py | 9 ++++----- tvb_build/setup_mac.py | 3 ++- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index f846f946c1..153cc1304f 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -250,8 +250,6 @@ def create_app(): print("============ APP CREATION FINISHED in {} seconds ====================".format(int(time.time() - start_t))) - _sign_app() - def _create_app_structure(): """ Create folder structure comprising a Mac app """ @@ -384,7 +382,7 @@ def _create_plist(): plistlib.dump(info_plist_data, fp) -def _sign_app(app_path=APP_FILE): +def sign_app(app_path=APP_FILE): """ Sign a .APP file, with an Apple Developer Identity previously installed on the current machine. The identity needs to show when executing command "security find-identity" @@ -416,11 +414,12 @@ def _sign_app(app_path=APP_FILE): """) # Some of the following command are just for debug purposes. Codesign is the critical one! + # we also need for over SSH run to unlock the keychain, otherwise we can not sign command = f"security find-identity && " \ f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain && " \ - f"codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements app.entitlements '{app_path}' && " \ + f"codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements app.entitlements '{app_path}'&&" \ f"spctl -a -t exec -vv '{app_path}'" - print(command) + os.system(command) if os.path.exists(ent_file): os.remove(ent_file) diff --git a/tvb_build/setup_mac.py b/tvb_build/setup_mac.py index b41e326725..d90971483c 100644 --- a/tvb_build/setup_mac.py +++ b/tvb_build/setup_mac.py @@ -40,7 +40,7 @@ import tvb_bin from glob import glob from zipfile import ZipFile, ZIP_DEFLATED -from conda_env_to_app import create_app, create_dmg, APP_NAME +from conda_env_to_app import create_app, create_dmg, APP_NAME, sign_app from tvb.basic.profile import TvbProfile from tvb.basic.config.environment import Environment from tvb_build.third_party_licenses.build_licenses import generate_artefact @@ -199,6 +199,7 @@ def _generate_distribution(final_name, library_path, version, extra_licensing_ch online_help_dst = os.path.join(library_abs_path, "tvb", "interfaces", "web", "static", "help") print("- Moving " + online_help_src + " to " + online_help_dst) os.rename(online_help_src, online_help_dst) + sign_app() create_dmg() print("- Cleaning up non-required files...") From e86ff0bf9142b6c829eac9f58c5c9b17f221c935 Mon Sep 17 00:00:00 2001 From: liadomide Date: Fri, 21 Jul 2023 12:54:53 +0300 Subject: [PATCH 07/20] TVB-2417 Cosmetics in logs --- tvb_build/conda_env_to_app.py | 83 +++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 39 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 153cc1304f..6280e74312 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -162,6 +162,13 @@ DMG_ICON_SIZE = 80 +def _log(msg, indent=1): + if indent == 1: + print(" - ", msg) + else: + print(" " * indent, msg) + + def extra(): _fix_paths() @@ -215,7 +222,7 @@ def _find_and_replace(path, search, replace, exclusions=None): def _replace_conda_abs_paths(): app_path = os.path.join(os.path.sep, 'Applications', APP_NAME + '.app', 'Contents', 'Resources') - print('Replacing occurences of {} with {}'.format(CONDA_ENV_PATH, app_path)) + _log('Replacing occurences of {} with {}'.format(CONDA_ENV_PATH, app_path), 2) _find_and_replace( RESOURCE_DIR, CONDA_ENV_PATH, @@ -226,12 +233,12 @@ def _replace_conda_abs_paths(): def create_app(): """ Create an app bundle """ - print("Output Dir {}".format(OUTPUT_FOLDER)) + _log("Output Dir {}".format(OUTPUT_FOLDER), 2) if os.path.exists(APP_FILE): shutil.rmtree(APP_FILE) - print("\n++++++++++++++++++++++++ Creating APP +++++++++++++++++++++++++++") + _log("Creating APP ", 1) start_t = time.time() _create_app_structure() @@ -243,24 +250,24 @@ def create_app(): # Do some package specific stuff, which is defined in the extra() function # in settings.py (and was imported at the top of this module) if "extra" in globals() and callable(extra): - print("Performing application specific actions.") + _log("Performing application specific actions.", 2) extra() _replace_conda_abs_paths() - print("============ APP CREATION FINISHED in {} seconds ====================".format(int(time.time() - start_t))) + _log("APP creation finished in {} seconds".format(int(time.time() - start_t)), 2) def _create_app_structure(): """ Create folder structure comprising a Mac app """ - print("Creating app structure") + _log("Creating app structure", 2) try: os.makedirs(MACOS_DIR) except OSError as e: - print('Could not create app structure: {}'.format(e)) + _log('!!!Could not create app structure: {}'.format(e)) sys.exit(1) - print("Creating app entry script") + _log("Creating app entry script", 2) with open(APP_SCRIPT, 'w') as fp: # Write the contents try: @@ -268,7 +275,7 @@ def _create_app_structure(): "script_dir=$(dirname \"$(dirname \"$0\")\")\n" "$script_dir/Resources/bin/python " "{} $@".format(ENTRY_SCRIPT)) - except IOError as e: + except IOError: logger.exception("Could not create Contents/OpenSesame script") sys.exit(1) @@ -280,7 +287,7 @@ def _create_app_structure(): def _copy_anaconda_env(): """ Copy anaconda environment """ - print("Copying Anaconda environment (this may take a while)") + _log("Copying Anaconda environment (this may take a while)", 2) try: if "CONDA_FOLDERS" in globals(): # IF conda folders is specified, copy only those folders. @@ -312,32 +319,32 @@ def _copy_anaconda_env(): os.remove(item) else: logger.warning("File not found: {}".format(item)) - except (IOError, OSError) as e: + except (IOError, OSError): logger.error("WARNING: could not delete {}".format(item)) def _copy_icon_and_license(): """ Copy icon to Resources folder """ global ICON_PATH - print("Copying icon file") + _log("Copying icon file", 2) try: shutil.copy(ICON_PATH, os.path.join(RESOURCE_DIR, ICON_FILE)) - except OSError as e: - logger("Error copying icon file from: {}".format(ICON_PATH)) + except OSError: + logger.error("Error copying icon file from: {}".format(ICON_PATH)) global LICENSE_PATH - print("Copying license file") + _log("Copying license file", 2) try: unnecessary_file = os.path.join(RESOURCE_DIR, "LICENSE.txt") if os.path.exists(unnecessary_file): os.remove(unnecessary_file) shutil.copy(LICENSE_PATH, RESOURCE_DIR) - except OSError as e: - logger("Error copying license file from: {}".format(LICENSE_PATH)) + except OSError: + logger.error("Error copying license file from: {}".format(LICENSE_PATH)) def _create_plist(): - print("Creating Info.plist") + _log("Creating Info.plist", 2) global ICON_FILE global VERSION @@ -388,11 +395,12 @@ def sign_app(app_path=APP_FILE): The identity needs to show when executing command "security find-identity" """ if KEY_SIGN_IDENTITY not in os.environ or KEY_MAC_PWD not in os.environ: - print(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} and " - f"{KEY_MAC_PWD} variables are not in ENV!!") + _log(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} and " + f"{KEY_MAC_PWD} variables are not in ENV!!") dev_identity = os.environ.get(KEY_SIGN_IDENTITY) mac_pwd = os.environ.get(KEY_MAC_PWD) - print(f"Preparing to sign: {app_path} with {dev_identity}") + _log(f"Preparing to sign: {app_path} with {dev_identity}") + # Create app.entitlements file with the application allowed security allowed points ent_file = "app.entitlements" if os.path.exists(ent_file): @@ -415,12 +423,12 @@ def sign_app(app_path=APP_FILE): # Some of the following command are just for debug purposes. Codesign is the critical one! # we also need for over SSH run to unlock the keychain, otherwise we can not sign - command = f"security find-identity && " \ - f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain && " \ - f"codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements app.entitlements '{app_path}'&&" \ - f"spctl -a -t exec -vv '{app_path}'" - + command = f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain && " \ + f"codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements app.entitlements '{app_path}'" + os.system(f"security find-identity") os.system(command) + os.system(f"spctl -a -t exec -vv '{app_path}'") + os.system(f"codesign --verify --verbose=4 '{app_path}'") if os.path.exists(ent_file): os.remove(ent_file) @@ -438,7 +446,7 @@ def create_dmg(): if os.path.exists(dmg_file): os.remove(dmg_file) - print("\n+++++++++++++++++++++ Creating DMG from app +++++++++++++++++++++++") + _log("Creating DMG from app...") # Get file size of APP app_size = subprocess.check_output( @@ -449,11 +457,10 @@ def create_dmg(): # Add a bit of extra to the disk image size app_size = str(float(size) * 1.25) + unit - print("Creating disk image of {}".format(app_size)) + _log("Creating disk image of {}".format(app_size), 2) # Create a dmgbuild config file in same folder as - dmgbuild_config_file = os.path.join(os.getcwd(), - 'dmgbuild_settings.py') + dmgbuild_config_file = os.path.join(os.getcwd(), 'dmgbuild_settings.py') dmg_config = { 'filename': dmg_file, @@ -471,10 +478,9 @@ def create_dmg(): dmg_config['window_rect'] = DMG_WINDOW_RECT _write_vars_to_file(dmgbuild_config_file, dmg_config) - print("Copying files to DMG and compressing it. Please wait.") + _log("Copying files to DMG and compressing it. Please wait...", 2) dmgbuild.build_dmg(dmg_file, APP_NAME, settings_file=dmgbuild_config_file) - - # Clean up! + _log("Clean up!", 2) os.remove(dmgbuild_config_file) @@ -491,15 +497,14 @@ def _write_vars_to_file(file_path, var_dict): def _fix_paths(): - kernel_json = os.path.join( - RESOURCE_DIR, 'share', 'jupyter', 'kernels', 'python3', 'kernel.json') + kernel_json = os.path.join(RESOURCE_DIR, 'share', 'jupyter', 'kernels', 'python3', 'kernel.json') if os.path.exists(kernel_json): - print('Fixing kernel.json') + _log('Fixing kernel.json', 2) with open(kernel_json, 'r') as fp: - kernelCfg = json.load(fp) - kernelCfg['argv'][0] = 'python' + kernel_cfg = json.load(fp) + kernel_cfg['argv'][0] = 'python' with open(kernel_json, 'w+') as fp: - json.dump(kernelCfg, fp) + json.dump(kernel_cfg, fp) if __name__ == "__main__": From 16d48f4a4e471f1e6bf504e05a2ea7f604da5b7a Mon Sep 17 00:00:00 2001 From: liadomide Date: Wed, 26 Jul 2023 17:39:48 +0300 Subject: [PATCH 08/20] TVB-2417 Extract app.entitlements in a dedicated file instead of creating it in code --- tvb_build/app.entitlements | 20 ++++++++++++++++++++ tvb_build/conda_env_to_app.py | 27 ++++----------------------- 2 files changed, 24 insertions(+), 23 deletions(-) create mode 100644 tvb_build/app.entitlements diff --git a/tvb_build/app.entitlements b/tvb_build/app.entitlements new file mode 100644 index 0000000000..ad6de2ba90 --- /dev/null +++ b/tvb_build/app.entitlements @@ -0,0 +1,20 @@ + + + + + com.apple.security.app-sandbox + + com.apple.security.network.client + + com.apple.security.network.server + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + + \ No newline at end of file diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 6280e74312..0b8d0062a9 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -389,7 +389,7 @@ def _create_plist(): plistlib.dump(info_plist_data, fp) -def sign_app(app_path=APP_FILE): +def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zip"), ent_file="app.entitlements"): """ Sign a .APP file, with an Apple Developer Identity previously installed on the current machine. The identity needs to show when executing command "security find-identity" @@ -397,30 +397,11 @@ def sign_app(app_path=APP_FILE): if KEY_SIGN_IDENTITY not in os.environ or KEY_MAC_PWD not in os.environ: _log(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} and " f"{KEY_MAC_PWD} variables are not in ENV!!") + return dev_identity = os.environ.get(KEY_SIGN_IDENTITY) mac_pwd = os.environ.get(KEY_MAC_PWD) _log(f"Preparing to sign: {app_path} with {dev_identity}") - # Create app.entitlements file with the application allowed security allowed points - ent_file = "app.entitlements" - if os.path.exists(ent_file): - os.remove(ent_file) - with open(ent_file, 'w') as fp: - fp.write(""" - - - - - com.apple.security.app-sandbox - - com.apple.security.network.client - - com.apple.security.network.server - - - - """) - # Some of the following command are just for debug purposes. Codesign is the critical one! # we also need for over SSH run to unlock the keychain, otherwise we can not sign command = f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain && " \ @@ -429,8 +410,8 @@ def sign_app(app_path=APP_FILE): os.system(command) os.system(f"spctl -a -t exec -vv '{app_path}'") os.system(f"codesign --verify --verbose=4 '{app_path}'") - if os.path.exists(ent_file): - os.remove(ent_file) + os.system(f"/usr/bin/ditto -c -k --keepParent '{app_path}' '{app_zip_path}'") + # os.system(f"xcrun notarytool submit '{app_zip_path}' --keychain-profile tvb --wait --webhook 'https://example.com/notarization'") def create_dmg(): From cf2b4ee23aac051022dd0f40bc2b16fe26739724 Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 27 Jul 2023 13:13:30 +0300 Subject: [PATCH 09/20] TVB-2417 Recursively sign inside .APP the binary files --- tvb_build/conda_env_to_app.py | 62 ++++++++++++++++++++++++++++++----- 1 file changed, 54 insertions(+), 8 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 0b8d0062a9..2851e6c266 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -389,29 +389,74 @@ def _create_plist(): plistlib.dump(info_plist_data, fp) +excluded_parts = [".dist-info", "egg-info", "ignore", "COPYING", "Makefile", "README", "LICENSE", + "draft", ".prettierrc", "zoneinfo/", "_vendored"] + + +def _should_be_signed(current_path): + if os.path.islink(current_path) or os.path.isdir(current_path): + return False + file_ext = os.path.splitext(current_path)[1] + if file_ext in (".dylib", ".so"): + return True + if file_ext in ("", ".10", ".6", ".local"): + for excl in excluded_parts: + if excl in current_path: + return False + return os.system("file -b " + current_path + " | grep text > /dev/null") + return False + + +def _codesign_inside(root_path, command_prefix, dev_identity, ent_file): + for path_sufix in os.listdir(root_path): + current_path = os.path.join(root_path, path_sufix) + if _should_be_signed(current_path): + _log(f"Signing {current_path}", 2) + os.system(f"{command_prefix} codesign -s '{dev_identity}' -o runtime -f " + f"--timestamp --entitlements {ent_file} '{current_path}'") + if os.path.isdir(current_path) and not os.path.islink(current_path): + _codesign_inside(current_path, command_prefix, dev_identity, ent_file) + + def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zip"), ent_file="app.entitlements"): """ Sign a .APP file, with an Apple Developer Identity previously installed on the current machine. - The identity needs to show when executing command "security find-identity" + The identity can be found through command "security find-identity". + + We expect these as ENV variables of Jenskins build machine: + - SIGN_APP_IDENTITY - to be found with `security find-identity` command + - MAC_PASSWORD """ if KEY_SIGN_IDENTITY not in os.environ or KEY_MAC_PWD not in os.environ: _log(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} and " f"{KEY_MAC_PWD} variables are not in ENV!!") return + dev_identity = os.environ.get(KEY_SIGN_IDENTITY) mac_pwd = os.environ.get(KEY_MAC_PWD) _log(f"Preparing to sign: {app_path} with {dev_identity}") - # Some of the following command are just for debug purposes. Codesign is the critical one! - # we also need for over SSH run to unlock the keychain, otherwise we can not sign - command = f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain && " \ - f"codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements app.entitlements '{app_path}'" - os.system(f"security find-identity") - os.system(command) + os.system(f"security find-identity") # for debug purposes only, to find the current installed keys on this machine + + # When executing signing over SSH (like Jenkins does), we first need to unclock the keychain + prefix = f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain &&" + _codesign_inside(os.path.join(app_path, "Contents", "Resources", "bin"), prefix, dev_identity, ent_file) + _codesign_inside(os.path.join(app_path, "Contents", "Resources", "sbin"), prefix, dev_identity, ent_file) + _codesign_inside(os.path.join(app_path, "Contents", "Resources", "lib"), prefix, dev_identity, ent_file) + _log(f"Signing the main APP {app_path} with {ent_file}", 2) + os.system(f"{prefix} codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements {ent_file} '{app_path}'") + # Check the signing process os.system(f"spctl -a -t exec -vv '{app_path}'") os.system(f"codesign --verify --verbose=4 '{app_path}'") + _log(f"Compressing the main APP {app_path} into {app_zip_path}", 2) os.system(f"/usr/bin/ditto -c -k --keepParent '{app_path}' '{app_zip_path}'") - # os.system(f"xcrun notarytool submit '{app_zip_path}' --keychain-profile tvb --wait --webhook 'https://example.com/notarization'") + + # Storing credential has to me done once on the build machine before we can submit for notarization: + # xcrun notarytool store-credentials --apple-id {env.SIGN_APPLE_ID} --password {env.SIGN_APP_PASSWORD} --team-id {env.SIGN_TEAM_ID} --verbose --keychain-profile "tvb" + _log(f"Submitting for notarization {app_zip_path} ...") + os.system(f"xcrun notarytool submit '{app_zip_path}' --keychain-profile 'tvb' " + f"--wait --webhook 'https://example.com/notarization'") + # xcrun notarytool log --keychain-profile "tvb" {ID from submit command: 72c04616-8f6a-401d-94f5-c20d47e35138} errors.txt def create_dmg(): @@ -490,4 +535,5 @@ def _fix_paths(): if __name__ == "__main__": create_app() + sign_app() create_dmg() From df05b2ea8dbdbfb45d18b2d787a71795946294db Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 27 Jul 2023 13:42:53 +0300 Subject: [PATCH 10/20] TVB-2417 Unlock keychain also before notarization --- tvb_build/conda_env_to_app.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 2851e6c266..4ef5f10284 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -445,17 +445,19 @@ def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zi _codesign_inside(os.path.join(app_path, "Contents", "Resources", "lib"), prefix, dev_identity, ent_file) _log(f"Signing the main APP {app_path} with {ent_file}", 2) os.system(f"{prefix} codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements {ent_file} '{app_path}'") - # Check the signing process + # Check the signing results os.system(f"spctl -a -t exec -vv '{app_path}'") os.system(f"codesign --verify --verbose=4 '{app_path}'") + _log(f"Compressing the main APP {app_path} into {app_zip_path}", 2) os.system(f"/usr/bin/ditto -c -k --keepParent '{app_path}' '{app_zip_path}'") # Storing credential has to me done once on the build machine before we can submit for notarization: # xcrun notarytool store-credentials --apple-id {env.SIGN_APPLE_ID} --password {env.SIGN_APP_PASSWORD} --team-id {env.SIGN_TEAM_ID} --verbose --keychain-profile "tvb" _log(f"Submitting for notarization {app_zip_path} ...") - os.system(f"xcrun notarytool submit '{app_zip_path}' --keychain-profile 'tvb' " + os.system(f"{prefix} xcrun notarytool submit '{app_zip_path}' --keychain-profile 'tvb' " f"--wait --webhook 'https://example.com/notarization'") + os.system(f"spctl -a -t exec -vv '{app_path}'") # xcrun notarytool log --keychain-profile "tvb" {ID from submit command: 72c04616-8f6a-401d-94f5-c20d47e35138} errors.txt From a60563cbda0e3eddadca002055c095543cadbb0b Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 27 Jul 2023 14:39:10 +0300 Subject: [PATCH 11/20] TVB-2417 Change entitlements path --- tvb_build/conda_env_to_app.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 4ef5f10284..baa42aca1c 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -408,17 +408,17 @@ def _should_be_signed(current_path): def _codesign_inside(root_path, command_prefix, dev_identity, ent_file): + _log(f"Signing in folder {root_path}", 2) for path_sufix in os.listdir(root_path): current_path = os.path.join(root_path, path_sufix) if _should_be_signed(current_path): - _log(f"Signing {current_path}", 2) os.system(f"{command_prefix} codesign -s '{dev_identity}' -o runtime -f " f"--timestamp --entitlements {ent_file} '{current_path}'") if os.path.isdir(current_path) and not os.path.islink(current_path): _codesign_inside(current_path, command_prefix, dev_identity, ent_file) -def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zip"), ent_file="app.entitlements"): +def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zip"), ent_file="tvb_build/app.entitlements"): """ Sign a .APP file, with an Apple Developer Identity previously installed on the current machine. The identity can be found through command "security find-identity". From 18004d1dba5a61d9fc0cb9d474a30f6bad6d6082 Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 27 Jul 2023 15:03:32 +0300 Subject: [PATCH 12/20] TVB-2417 Work on logging --- tvb_build/conda_env_to_app.py | 2 +- tvb_library/tvb/basic/profile.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index baa42aca1c..e6be3fa5f5 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -408,7 +408,7 @@ def _should_be_signed(current_path): def _codesign_inside(root_path, command_prefix, dev_identity, ent_file): - _log(f"Signing in folder {root_path}", 2) + # _log(f"Signing in folder {root_path}", 2) for path_sufix in os.listdir(root_path): current_path = os.path.join(root_path, path_sufix) if _should_be_signed(current_path): diff --git a/tvb_library/tvb/basic/profile.py b/tvb_library/tvb/basic/profile.py index 28ed84f208..3524485211 100644 --- a/tvb_library/tvb/basic/profile.py +++ b/tvb_library/tvb/basic/profile.py @@ -99,7 +99,7 @@ def _build_profile_class(cls, selected_profile, in_operation=False, run_init=Tru else: msg = "Invalid profile name %r, expected one of %r" - msg %= (selected_profile, cls.ALL) + msg %= (selected_profile, cls.REGISTERED_PROFILES) raise Exception(msg) @classmethod From 7bf757c04c80f88060b1ace05c1f17ff41da3a68 Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 27 Jul 2023 15:09:22 +0300 Subject: [PATCH 13/20] TVB-2417 Cleanup AppZip after submit --- tvb_build/conda_env_to_app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index e6be3fa5f5..7b9cc840e1 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -459,6 +459,7 @@ def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zi f"--wait --webhook 'https://example.com/notarization'") os.system(f"spctl -a -t exec -vv '{app_path}'") # xcrun notarytool log --keychain-profile "tvb" {ID from submit command: 72c04616-8f6a-401d-94f5-c20d47e35138} errors.txt + os.remove(app_zip_path) def create_dmg(): From 5890c5f2bec6414af219b6979af1474d34393f49 Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 27 Jul 2023 22:56:55 +0300 Subject: [PATCH 14/20] TVB-2417 For the .APP to be able and use inside binary files, those need to be signed wih a different entitlements (without key com.apple.security.app-sandbox) --- tvb_build/app.inner.entitlements | 18 ++++++++++++++++++ tvb_build/conda_env_to_app.py | 13 +++++++++---- 2 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 tvb_build/app.inner.entitlements diff --git a/tvb_build/app.inner.entitlements b/tvb_build/app.inner.entitlements new file mode 100644 index 0000000000..2c6eebb31a --- /dev/null +++ b/tvb_build/app.inner.entitlements @@ -0,0 +1,18 @@ + + + + + com.apple.security.network.client + + com.apple.security.network.server + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + + \ No newline at end of file diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 7b9cc840e1..a10b8692eb 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -412,13 +412,15 @@ def _codesign_inside(root_path, command_prefix, dev_identity, ent_file): for path_sufix in os.listdir(root_path): current_path = os.path.join(root_path, path_sufix) if _should_be_signed(current_path): + # _log(f"Signing {current_path}", 2) os.system(f"{command_prefix} codesign -s '{dev_identity}' -o runtime -f " f"--timestamp --entitlements {ent_file} '{current_path}'") if os.path.isdir(current_path) and not os.path.islink(current_path): _codesign_inside(current_path, command_prefix, dev_identity, ent_file) -def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zip"), ent_file="tvb_build/app.entitlements"): +def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zip"), + ent_file=os.path.join(TVB_ROOT, "tvb_build", "app.entitlements")): """ Sign a .APP file, with an Apple Developer Identity previously installed on the current machine. The identity can be found through command "security find-identity". @@ -440,9 +442,12 @@ def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zi # When executing signing over SSH (like Jenkins does), we first need to unclock the keychain prefix = f"security unlock-keychain -p {mac_pwd} /Users/tvb/Library/Keychains/login.keychain &&" - _codesign_inside(os.path.join(app_path, "Contents", "Resources", "bin"), prefix, dev_identity, ent_file) - _codesign_inside(os.path.join(app_path, "Contents", "Resources", "sbin"), prefix, dev_identity, ent_file) - _codesign_inside(os.path.join(app_path, "Contents", "Resources", "lib"), prefix, dev_identity, ent_file) + # prefix = "" + # For inside binary files we need different entitlement set + inner_ent = os.path.join(TVB_ROOT, "tvb_build", "app.inner.entitlements") + _codesign_inside(os.path.join(app_path, "Contents", "Resources", "bin"), prefix, dev_identity, inner_ent) + _codesign_inside(os.path.join(app_path, "Contents", "Resources", "sbin"), prefix, dev_identity, inner_ent) + _codesign_inside(os.path.join(app_path, "Contents", "Resources", "lib"), prefix, dev_identity, inner_ent) _log(f"Signing the main APP {app_path} with {ent_file}", 2) os.system(f"{prefix} codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements {ent_file} '{app_path}'") # Check the signing results From 56ddf6288792f53d969dc63576e65a39829e4bb3 Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 27 Jul 2023 23:03:22 +0300 Subject: [PATCH 15/20] TVB-2417 Add stapling step --- tvb_build/conda_env_to_app.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index a10b8692eb..422bfd87ab 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -462,8 +462,10 @@ def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zi _log(f"Submitting for notarization {app_zip_path} ...") os.system(f"{prefix} xcrun notarytool submit '{app_zip_path}' --keychain-profile 'tvb' " f"--wait --webhook 'https://example.com/notarization'") - os.system(f"spctl -a -t exec -vv '{app_path}'") # xcrun notarytool log --keychain-profile "tvb" {ID from submit command: 72c04616-8f6a-401d-94f5-c20d47e35138} errors.txt + # Staple the notarization ticket and inspect status after + os.system(f"xcrun stapler staple '{app_path}'") + os.system(f"spctl -a -t exec -vv '{app_path}'") os.remove(app_zip_path) From 065b092c6e603116d451c37eb7b848b58428b13f Mon Sep 17 00:00:00 2001 From: liadomide Date: Thu, 27 Jul 2023 23:14:04 +0300 Subject: [PATCH 16/20] TVB-2417 Missed to have quotes arround the entitlements path --- tvb_build/conda_env_to_app.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py index 422bfd87ab..4375f845b7 100644 --- a/tvb_build/conda_env_to_app.py +++ b/tvb_build/conda_env_to_app.py @@ -414,7 +414,7 @@ def _codesign_inside(root_path, command_prefix, dev_identity, ent_file): if _should_be_signed(current_path): # _log(f"Signing {current_path}", 2) os.system(f"{command_prefix} codesign -s '{dev_identity}' -o runtime -f " - f"--timestamp --entitlements {ent_file} '{current_path}'") + f"--timestamp --entitlements '{ent_file}' '{current_path}'") if os.path.isdir(current_path) and not os.path.islink(current_path): _codesign_inside(current_path, command_prefix, dev_identity, ent_file) @@ -449,7 +449,7 @@ def sign_app(app_path=APP_FILE, app_zip_path=os.path.join(OUTPUT_FOLDER, "tvb.zi _codesign_inside(os.path.join(app_path, "Contents", "Resources", "sbin"), prefix, dev_identity, inner_ent) _codesign_inside(os.path.join(app_path, "Contents", "Resources", "lib"), prefix, dev_identity, inner_ent) _log(f"Signing the main APP {app_path} with {ent_file}", 2) - os.system(f"{prefix} codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements {ent_file} '{app_path}'") + os.system(f"{prefix} codesign -s '{dev_identity}' -f --timestamp -o runtime --entitlements '{ent_file}' '{app_path}'") # Check the signing results os.system(f"spctl -a -t exec -vv '{app_path}'") os.system(f"codesign --verify --verbose=4 '{app_path}'") From e7379c5597ae23e032730950192d529bf4b37839 Mon Sep 17 00:00:00 2001 From: Rus Tudor Date: Fri, 28 Jul 2023 15:33:41 +0300 Subject: [PATCH 17/20] TVB-2417 Change entitlements --- tvb_build/app.entitlements | 4 +--- tvb_build/app.inner.entitlements | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/tvb_build/app.entitlements b/tvb_build/app.entitlements index ad6de2ba90..de5bf5a3c7 100644 --- a/tvb_build/app.entitlements +++ b/tvb_build/app.entitlements @@ -14,7 +14,5 @@ com.apple.security.cs.allow-dyld-environment-variables - com.apple.security.cs.disable-library-validation - - \ No newline at end of file + diff --git a/tvb_build/app.inner.entitlements b/tvb_build/app.inner.entitlements index 2c6eebb31a..7e86413d0e 100644 --- a/tvb_build/app.inner.entitlements +++ b/tvb_build/app.inner.entitlements @@ -12,7 +12,5 @@ com.apple.security.cs.allow-dyld-environment-variables - com.apple.security.cs.disable-library-validation - - \ No newline at end of file + From 107ee0f3681410b368001de8f1d6d62695b2d5d9 Mon Sep 17 00:00:00 2001 From: liadomide Date: Tue, 1 Aug 2023 16:41:30 +0300 Subject: [PATCH 18/20] TVB-2417 cleanup --- tvb_library/tvb/basic/profile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tvb_library/tvb/basic/profile.py b/tvb_library/tvb/basic/profile.py index 3524485211..5fbd84bde3 100644 --- a/tvb_library/tvb/basic/profile.py +++ b/tvb_library/tvb/basic/profile.py @@ -99,7 +99,7 @@ def _build_profile_class(cls, selected_profile, in_operation=False, run_init=Tru else: msg = "Invalid profile name %r, expected one of %r" - msg %= (selected_profile, cls.REGISTERED_PROFILES) + msg %= (selected_profile, cls.REGISTERED_PROFILES.keys()) raise Exception(msg) @classmethod From fad9d25265545fff0359fa1b5d85103b4394a2af Mon Sep 17 00:00:00 2001 From: liadomide Date: Fri, 4 Aug 2023 17:21:17 +0300 Subject: [PATCH 19/20] TVB-3086 Handle better the way is_distribution gets calculated --- tvb_library/tvb/basic/config/environment.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tvb_library/tvb/basic/config/environment.py b/tvb_library/tvb/basic/config/environment.py index 376a44e3b6..6ba2b5e803 100644 --- a/tvb_library/tvb/basic/config/environment.py +++ b/tvb_library/tvb/basic/config/environment.py @@ -72,10 +72,9 @@ def is_distribution(): pass try: - import tvb - externals_path = os.path.join( - os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(tvb.__file__)))), - "dev_resources") + externals_path = os.path.join(os.path.abspath(os.path.join(__file__, os.path.pardir, os.path.pardir, + os.path.pardir, os.path.pardir, os.path.pardir)), + "dev_resources") if os.path.exists(externals_path): # usage from GitHub clone without got cmd or inside a Docker container (as a mounted volume) return False From ec2c481064c425744dae39458fa9a4149855c5ec Mon Sep 17 00:00:00 2001 From: liadomide Date: Fri, 4 Aug 2023 17:22:39 +0300 Subject: [PATCH 20/20] TVB-3086 Sometimes CURRENT_DIR remains wrong --- tvb_library/tvb/basic/config/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tvb_library/tvb/basic/config/settings.py b/tvb_library/tvb/basic/config/settings.py index 20e3a8d527..6b89f4482c 100644 --- a/tvb_library/tvb/basic/config/settings.py +++ b/tvb_library/tvb/basic/config/settings.py @@ -233,7 +233,7 @@ def __init__(self, manager): self.ENCRYPT_STORAGE = manager.get_attribute(stored.KEY_ENCRYPT_STORAGE, False, eval) self.DECRYPT_PATH = manager.get_attribute(stored.KEY_DECRYPT_PATH) - self.CURRENT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) + self.CURRENT_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) try: import tvb.interfaces