I tried notarizing an existing signed Firefox Nightly dmg. We have a bunch of errors, but they fall into 3 buckets: - `The executable does not have the hardened runtime enabled.` [These](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues) [pages](https://help.apple.com/xcode/mac/current/#/devf87a2ac8f) describe how to fix this. It looks like bug 1470597 is hard-blocking the notarization work? - `The signature algorithm used is too weak.` I'm not sure about this -- we're using current Developer IDs. It's possible our mac signing servers are using an older XCode or are configured to use an older algorithm; we'll have to dig. - `The binary is not signed.` We have rules on the signing server about which binaries to skip; we can probably sign this binary as well.
Bug 1470607 Comment 14 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I tried notarizing an existing signed Firefox Nightly dmg. We have a bunch of errors, but they fall into 3 buckets: - `The executable does not have the hardened runtime enabled.` [These](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues) [pages](https://help.apple.com/xcode/mac/current/#/devf87a2ac8f) describe how to fix this. It looks like bug 1470597 is hard-blocking the notarization work? - `The signature algorithm used is too weak.` I'm not sure about this -- we're using current Developer IDs. It's possible our mac signing servers are using an older XCode or are configured to use an older algorithm; we'll have to dig. - `The binary is not signed.` We have rules on the signing server about which binaries to skip; we can probably sign this binary as well. (I know there's instructions above on how to sign the app before notarizing, but ideally we'd be able to keep our existing signing automation and just add the notarization piece. It looks like we have to at least adjust our signing for this to work.)
I tried notarizing an existing signed Firefox Nightly dmg. We have a bunch of errors, but they fall into 3 buckets: - `The executable does not have the hardened runtime enabled.` [These](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues) [pages](https://help.apple.com/xcode/mac/current/#/devf87a2ac8f) describe how to fix this. It looks like bug 1470597 is hard-blocking the notarization work? - (I did download this binary from Dec 31; if we've landed the hardened runtime changes since then, I can retry with a newer binary.) - `The signature algorithm used is too weak.` I'm not sure about this -- we're using current Developer IDs. It's possible our mac signing servers are using an older XCode or are configured to use an older algorithm; we'll have to dig. - `The binary is not signed.` We have rules on the signing server about which binaries to skip; we can probably sign this binary as well. (I know there's instructions above on how to sign the app before notarizing, but ideally we'd be able to keep our existing signing automation and just add the notarization piece. It looks like we have to at least adjust our signing for this to work.)