From 49ec6962b1106afea015ad7b11740d7be1637b6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= Date: Thu, 10 Aug 2023 19:57:33 +0200 Subject: [PATCH] sign-macos-pkg.sh: move gatekeeper verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This now fails when the app is signed with a new certificate create from our new Apple organization but is not notarized: ``` tmp/macos/dist/Status.app: rejected source=Unnotarized Developer ID ``` I actually have absolutely no idea why this verification worked with the old certificate, but it did. For that reason I'm moving it to after notarization. Signed-off-by: Jakub SokoĊ‚owski --- scripts/notarize-macos-pkg.sh | 7 +++++++ scripts/sign-macos-pkg.sh | 12 +----------- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/scripts/notarize-macos-pkg.sh b/scripts/notarize-macos-pkg.sh index 24b7bda8d..e108c8e4d 100755 --- a/scripts/notarize-macos-pkg.sh +++ b/scripts/notarize-macos-pkg.sh @@ -64,4 +64,11 @@ fi # Optional but preferrable to attach the ticket to the bundle. echo -e "\n### Stapling Notarization Ticket..." xcrun stapler staple "${BUNDLE_PATH}" + +echo -e "\n### Validating Signature and Notarization..." +spctl --verbose=2 \ + --assess --type open \ + --context context:primary-signature \ + "${BUNDLE_PATH}" + exit $? diff --git a/scripts/sign-macos-pkg.sh b/scripts/sign-macos-pkg.sh index 9e1d79355..09524c7e1 100755 --- a/scripts/sign-macos-pkg.sh +++ b/scripts/sign-macos-pkg.sh @@ -17,7 +17,7 @@ CODESIGN_OPTS_EXTRA=("${@}") function clean_up { STATUS=$? - if [[ "${STATUS}" -eq 0 ]]; then + if [[ "${STATUS}" -ne 0 ]]; then echo -e "\n###### ERROR: See above for details." fi set +e @@ -81,14 +81,4 @@ codesign ${CODESIGN_OPTS[@]} "${TARGET}" echo -e "\n### Verifying signature..." codesign --verify --strict=all --deep --verbose=4 "${TARGET}" -echo -e "\n### Assessing Gatekeeper validation..." -if [[ -d "${TARGET}" ]]; then - spctl --assess --type execute --verbose=2 "${TARGET}" -else - echo "WARNING: The 'open' type security assesment is disabled due to lack of 'Notarization'" - # Issue: https://github.com/status-im/status-mobile/pull/9172 - # Details: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution - #spctl --assess --type open --context context:primary-signature --verbose=2 "${OBJECT}" -fi - echo -e "\n###### DONE"