989189 - codesign error in OS X 10.9 when subcomponent not signed

Status: RESOLVED WORKSFORME

(Infrastructure & Operations Graveyard :: CIDuty, task)

Description

[Eric Tsai (no more review request accepted)]

During repackage a custom release in OS X 10.9 and sign the Firefox App, 

/usr/bin/codesign --deep -fs <signature> Firefox.app

codesign reports error:

Firefox.app: replacing existing signature
Firefox.app: bundle format unrecognized, invalid, or unsuitable
In subcomponent: Firefox.app/Contents/MacOS/distribution/bundles/addoninstaller@mozillaonline.com

The same command works fine in OS X 10.8 because codesign only sign for the App but in OS X 10.9 will not sign if any nested bundle in the package is unsigned:

http://furbo.org/2013/10/17/code-signing-and-mavericks/

Comment 1

[Chris Cooper [:coop] (he/him)]

cc-ing bhearsum who's doing some Mac signing work ahead of 10.9.5 and Yosemite.

Ben: is this something that's come up in your 10.9 signing work so far?

Comment 2

[bhearsum@mozilla.com (:bhearsum)]

Yeah, this doesn't surprise me. As part of the work bug 1046306, we'll be signing all nested packages as well as all individual binaries. It's likely that this bug will be fixed by that.

However, my understanding is that codesign --deep is generally advised against (see https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG203). We're going to be signing MoCo builds by going through them recursively, and I would suggest that you do the same. Feel free to let me know if you want to chat more about this - I'm more than happy to help.