Closed Bug 1693422 Opened 4 years ago Closed 4 years ago

macOS ARM64 and ARM64/x86-64 (universal) tryserver builds should be signed using an Apple signing certificate

Categories

(Developer Infrastructure :: Try, defect)

Product:
Developer Infrastructure
Component:
Try
Platform:
ARM64
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: smichaud, Unassigned)

References

Details

macOS 11, running on Apple Silicon, refuses to run any unsigned application. Right-clicking and choosing "Open" no longer works, though it still works fine on macOS 11 running on an Intel CPU.

https://github.com/Homebrew/brew/issues/9082

I think this means that Mozilla needs to start signing macOS ARM64 tryserver builds. Otherwise it won't be possible to run such a build on Apple Silicon without getting your own personal signing certificate from Apple, and using that to sign the build.

For a real life example of this, see bug 1690604 comment 6.

Builds made using mach build are already signed in some fashion. Even ARM64 builds, made this way, run fine on Apple Silicon machines. So it wouldn't be too much of a stretch to start signing at least some tryserver builds.

In fact I don't see why they can't all be signed. But that's not what this bug is about.

Summary: ARM64 and ARM64/x86-64 (universal) tryserver builds should be signed → macOS ARM64 and ARM64/x86-64 (universal) tryserver builds should be signed

Run a repackage-macosx64-shippable/opt job, and it'll be signed.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID

The "signed" build created using a repackage-macosx64-shippable/opt job doesn't work on either Apple Silicon or Intel hardware. Double-clicking on it and using Ctrl-click Open both always have the same result -- an error balloon saying that '"Firefox Nightly" is damaged and can't be opened. You should move it to the Trash.' Presumably that's because it's not signed using an Apple signing certificate:

    codesign -d -vvv ~/Desktop/Firefox\ Nightly.app 
    Executable=/Users/smichaud/Desktop/Firefox Nightly 1690604.app/Contents/MacOS/firefox
    Identifier=org.mozilla.nightly
    Format=app bundle with Mach-O universal (x86_64 arm64)
    CodeDirectory v=20500 size=468 flags=0x10000(runtime) hashes=6+5 location=embedded
    Hash type=sha256 size=32
    CandidateCDHash sha256=8b04f8e168ea6e0caffa4cf4f297d954d4a64d8c
    CandidateCDHashFull sha256=8b04f8e168ea6e0caffa4cf4f297d954d4a64d8ca3f9b84518ab79dc40ffdfbc
    Hash choices=sha256
    CMSDigest=8b04f8e168ea6e0caffa4cf4f297d954d4a64d8ca3f9b84518ab79dc40ffdfbc
    CMSDigestType=2
    CDHash=8b04f8e168ea6e0caffa4cf4f297d954d4a64d8c
    Signature size=2085
    Authority=Mozilla Fake DMG Cert
    Signed Time=Feb 18, 2021 at 10:19:13 AM
    Info.plist entries=25
    TeamIdentifier=not set
    Runtime Version=10.12.0
    Sealed Resources version=2 rules=13 files=84
    Internal requirements count=1 size=188
Status: RESOLVED → REOPENED
Resolution: INVALID → ---

Here's how the Firefox release is signed:

    codesign -d -vvv /Applications/Firefox.app 
    Executable=/Applications/Firefox.app/Contents/MacOS/firefox
    Identifier=org.mozilla.firefox
    Format=app bundle with Mach-O universal (x86_64 arm64)
    CodeDirectory v=20500 size=479 flags=0x10000(runtime) hashes=6+5 location=embedded
    Hash type=sha256 size=32
    CandidateCDHash sha256=8eb52ba247a657ee043b949510dd15e68c59b4f6
    CandidateCDHashFull sha256=8eb52ba247a657ee043b949510dd15e68c59b4f6588adcbb83f3807b7d6733a5
    Hash choices=sha256
    CMSDigest=8eb52ba247a657ee043b949510dd15e68c59b4f6588adcbb83f3807b7d6733a5
    CMSDigestType=2
    CDHash=8eb52ba247a657ee043b949510dd15e68c59b4f6
    Signature size=8938
    Authority=Developer ID Application: Mozilla Corporation (43AQ936H96)
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Timestamp=Feb 8, 2021 at 9:13:43 AM
    Info.plist entries=25
    TeamIdentifier=43AQ936H96
    Runtime Version=10.12.0
    Sealed Resources version=2 rules=13 files=82
    Internal requirements count=1 size=188
Summary: macOS ARM64 and ARM64/x86-64 (universal) tryserver builds should be signed → macOS ARM64 and ARM64/x86-64 (universal) tryserver builds should be signed using an Apple signing certificate

That's not a signature problem, that's a quarantine problem. If you xattr -c Firefox Nightly.app, it works.

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → INVALID

xattr -c Firefox Nightly.app

Yes, this works. But it's very annoying, and it really shouldn't be necessary. Likewise with the Ctrl-click Open workaround.

But I don't have the energy to make a fuss about it.

If you copy the url and curl it instead, it will work.

Blocks: 1694531
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.