macOS ARM64 and ARM64/x86-64 (universal) tryserver builds should be signed using an Apple signing certificate
Categories
(Developer Infrastructure :: Try, defect)
Tracking
(Not tracked)
People
(Reporter: smichaud, Unassigned)
References
Details
macOS 11, running on Apple Silicon, refuses to run any unsigned application. Right-clicking and choosing "Open" no longer works, though it still works fine on macOS 11 running on an Intel CPU.
https://github.com/Homebrew/brew/issues/9082
I think this means that Mozilla needs to start signing macOS ARM64 tryserver builds. Otherwise it won't be possible to run such a build on Apple Silicon without getting your own personal signing certificate from Apple, and using that to sign the build.
For a real life example of this, see bug 1690604 comment 6.
Builds made using mach build
are already signed in some fashion. Even ARM64 builds, made this way, run fine on Apple Silicon machines. So it wouldn't be too much of a stretch to start signing at least some tryserver builds.
In fact I don't see why they can't all be signed. But that's not what this bug is about.
Reporter | ||
Updated•4 years ago
|
Comment 1•4 years ago
|
||
Run a repackage-macosx64-shippable/opt job, and it'll be signed.
Comment 2•4 years ago
|
||
Reporter | ||
Comment 3•4 years ago
|
||
The "signed" build created using a repackage-macosx64-shippable/opt job doesn't work on either Apple Silicon or Intel hardware. Double-clicking on it and using Ctrl-click Open both always have the same result -- an error balloon saying that '"Firefox Nightly" is damaged and can't be opened. You should move it to the Trash.' Presumably that's because it's not signed using an Apple signing certificate:
codesign -d -vvv ~/Desktop/Firefox\ Nightly.app
Executable=/Users/smichaud/Desktop/Firefox Nightly 1690604.app/Contents/MacOS/firefox
Identifier=org.mozilla.nightly
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=468 flags=0x10000(runtime) hashes=6+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=8b04f8e168ea6e0caffa4cf4f297d954d4a64d8c
CandidateCDHashFull sha256=8b04f8e168ea6e0caffa4cf4f297d954d4a64d8ca3f9b84518ab79dc40ffdfbc
Hash choices=sha256
CMSDigest=8b04f8e168ea6e0caffa4cf4f297d954d4a64d8ca3f9b84518ab79dc40ffdfbc
CMSDigestType=2
CDHash=8b04f8e168ea6e0caffa4cf4f297d954d4a64d8c
Signature size=2085
Authority=Mozilla Fake DMG Cert
Signed Time=Feb 18, 2021 at 10:19:13 AM
Info.plist entries=25
TeamIdentifier=not set
Runtime Version=10.12.0
Sealed Resources version=2 rules=13 files=84
Internal requirements count=1 size=188
Reporter | ||
Comment 4•4 years ago
|
||
Here's how the Firefox release is signed:
codesign -d -vvv /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox
Identifier=org.mozilla.firefox
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=479 flags=0x10000(runtime) hashes=6+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=8eb52ba247a657ee043b949510dd15e68c59b4f6
CandidateCDHashFull sha256=8eb52ba247a657ee043b949510dd15e68c59b4f6588adcbb83f3807b7d6733a5
Hash choices=sha256
CMSDigest=8eb52ba247a657ee043b949510dd15e68c59b4f6588adcbb83f3807b7d6733a5
CMSDigestType=2
CDHash=8eb52ba247a657ee043b949510dd15e68c59b4f6
Signature size=8938
Authority=Developer ID Application: Mozilla Corporation (43AQ936H96)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Feb 8, 2021 at 9:13:43 AM
Info.plist entries=25
TeamIdentifier=43AQ936H96
Runtime Version=10.12.0
Sealed Resources version=2 rules=13 files=82
Internal requirements count=1 size=188
Reporter | ||
Updated•4 years ago
|
Comment 5•4 years ago
|
||
That's not a signature problem, that's a quarantine problem. If you xattr -c Firefox Nightly.app, it works.
Reporter | ||
Comment 6•4 years ago
|
||
xattr -c Firefox Nightly.app
Yes, this works. But it's very annoying, and it really shouldn't be necessary. Likewise with the Ctrl-click Open workaround.
But I don't have the energy to make a fuss about it.
Comment 7•4 years ago
|
||
If you copy the url and curl it instead, it will work.
Updated•2 years ago
|
Description
•