More debugging needed to confirm, but the root cause of the problem appears to be that we are signing debug builds with our self-signed "Mozilla Fake DMG" cert while also using the production entitlement configuration. With the fix for bug 1593072, our production entitlement configuration is no longer compatible with self-signing. Until we have improved our codesigning to not-use self-signed certs, we'll have to either 1) sign our Debug central builds with the official cert OR 2) change our Debug central builds to use the development entitlement configuration. If this evaluation is correct, this problem should not apply to try builds. To explain this failure, plugin-container is configured to not allow loading of third party dylibs in production builds, but that setting is not compatible with self-signed certs. For our developer builds (which use self-signing), we opt out of that restriction. This incompatibility (where self-sign builds require the entitlement `com.apple.security.cs.disable-library-validation` in order to load a dylib that is also self-signed must not apply on our macOS 10.15 x64 runners. One explanation could be that Apple Silicon or macOS 11 is more strict in this regard. The test is passing on macOS 10.15 on x64 and the failures are on macOS 11 on Apple Silicon. Apple Silicon does have more strict codesigning requirements per documentation from Apple, so it wouldn't be surprising if that was the difference. macOS 11 (aka 10.16) is the first version to support Apple Silicon. Regarding the solution, we do not sign non-official builds with production certs to avoid any potential confusion or malicious behavior where non-official build is passed off as official. For example a try build, but we might be OK with debug builds of central. I'll discuss more with Heitor.
Bug 1860468 Comment 4 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
More debugging needed to confirm, but the root cause of the problem appears to be that we are signing debug builds with our self-signed "Mozilla Fake DMG" cert while also using the production entitlement configuration. With the fix for bug 1593072, our production entitlement configuration is no longer compatible with self-signing. Until we have improved our codesigning to not-use self-signed certs, we'll have to either 1) sign our Debug central builds with the official cert OR 2) change our Debug central builds to use the development entitlement configuration. If this evaluation is correct, this problem should not apply to try builds. To explain this failure, plugin-container is configured to not allow loading of third party dylibs in production builds, but that setting is not compatible with self-signed certs. For our developer builds (which use self-signing), we opt out of that restriction. This incompatibility (where self-sign builds require the entitlement `com.apple.security.cs.disable-library-validation` in order to load a dylib that is also self-signed) must not apply on our macOS 10.15 x64 runners. One explanation could be that Apple Silicon or macOS 11 is more strict in this regard. The test is passing on macOS 10.15 on x64 and the failures are on macOS 11 on Apple Silicon. Apple Silicon does have more strict codesigning requirements per documentation from Apple, so it wouldn't be surprising if that was the difference. macOS 11 (aka 10.16) is the first version to support Apple Silicon. Regarding the solution, we do not sign non-official builds with production certs to avoid any potential confusion or malicious behavior where non-official build is passed off as official. For example a try build, but we might be OK with debug builds of central. I'll discuss more with Heitor.