https://garden.io logo
who knows anything about how we do Apple
k

kind-france-89777

05/04/2023, 8:26 PM
who knows anything about how we do Apple code signing? I've got a report from a customer that 0.12.55 isn't properly codesigned, but previous releases are.
> noticed that 0.12.53 has a good code signature. 0.12.55 does not.
$ codesign --verify -vv $(which garden)
/opt/homebrew/bin/garden: valid on disk
/opt/homebrew/bin/garden: satisfies its Designated Requirement
$ garden --version
0.12.53
> after upgrading to 0.12.55:
$ codesign --verify -vv $(which garden)
/opt/homebrew/bin/garden: invalid signature (code or signature have been modified)
In architecture: x86_64
s

swift-garage-61180

05/04/2023, 8:49 PM
Was that the reason we saw the popup about incoming network traffic in the call earlier?
k

kind-france-89777

05/04/2023, 9:49 PM
huh, interesting, I have no idea and have long wondered why that happens
a

ancient-diamond-80011

05/05/2023, 7:08 AM
we definitely should be getting a valid signature in our CI/CD pipeline 🤔
k

kind-france-89777

05/09/2023, 4:29 PM
just wanted to bump this, to see if anyone has confirmed that we'll codesign properly on the next release
a

ancient-diamond-80011

05/10/2023, 6:46 AM
currently taking a quick look into this - wonder what has changed, as this used to be done as part of our CI pipeline
no changes in the build-pkg script (other than the copyright year) https://github.com/garden-io/garden/commits/main/cli/src/build-pkg.ts since january, and 0.12.53 was released in march (with a valid sig)
didn't find anything on a quick glance, sorry 😞
added a tracking issue https://github.com/orgs/garden-io/projects/5/views/1?pane=issue&itemId=27806920 cc @calm-family-29323 @curved-intern-91221 @astonishing-tomato-18259 this is a must-have before the release
a

astonishing-tomato-18259

05/12/2023, 1:13 PM
Investigated this today. It seems we never code signed our binary for mac.
0.12.53
binary was also not code signed. It appears that the user had done ad-hoc code signing (https://developer.apple.com/documentation/security/seccodesignatureflags/1397793-adhoc) of garden binary on its own. Ad-hoc code signing basically means that you can code sign a binary using
codesign
utility without any signing identity or apple developer certificate. On verifying, it results in similar response:
➜ $ codesign --verify -vv garden
garden: valid on disk
garden: satisfies its Designated Requirement
And once the user updated the version from 0.12.53 to 0.12.55, the ad-hoc signature became invalid and results in
invalid signature
error as the content of garden binary updated and resulted in SHA-1 signature mismatch. The codesigning of binaries is mandatory for any executables macOS 11 onwards however it doesn't apply to translated binaries that running under Rosetta2 which is currently the case for Garden binary. There's plan to publish native Apple silicon binary and then code signing will be mandatory. I created an issue to track code signing of our binaries: https://github.com/garden-io/garden/issues/4250
k

kind-france-89777

05/12/2023, 2:23 PM
Interesting!