who knows anything about how we do Apple code signing I ve g garden.io #💻

who knows anything about how we do Apple code sign...

kind-france-89777

05/04/2023, 8:26 PM

who knows anything about how we do Apple code signing? I've got a report from a customer that 0.12.55 isn't properly codesigned, but previous releases are.

kind-france-89777

05/04/2023, 8:26 PM

> noticed that 0.12.53 has a good code signature. 0.12.55 does not.

Copy code

$ codesign --verify -vv $(which garden)
/opt/homebrew/bin/garden: valid on disk
/opt/homebrew/bin/garden: satisfies its Designated Requirement
$ garden --version
0.12.53

> after upgrading to 0.12.55:

Copy code

$ codesign --verify -vv $(which garden)
/opt/homebrew/bin/garden: invalid signature (code or signature have been modified)
In architecture: x86_64

swift-garage-61180

05/04/2023, 8:49 PM

Was that the reason we saw the popup about incoming network traffic in the call earlier?

kind-france-89777

05/04/2023, 9:49 PM

huh, interesting, I have no idea and have long wondered why that happens

ancient-diamond-80011

05/05/2023, 7:08 AM

we definitely should be getting a valid signature in our CI/CD pipeline 🤔

kind-france-89777

05/09/2023, 4:29 PM

just wanted to bump this, to see if anyone has confirmed that we'll codesign properly on the next release

ancient-diamond-80011

05/10/2023, 6:46 AM

currently taking a quick look into this - wonder what has changed, as this used to be done as part of our CI pipeline

ancient-diamond-80011

05/10/2023, 6:54 AM

no changes in the build-pkg script (other than the copyright year) https://github.com/garden-io/garden/commits/main/cli/src/build-pkg.ts since january, and 0.12.53 was released in march (with a valid sig)

ancient-diamond-80011

05/10/2023, 8:30 AM

didn't find anything on a quick glance, sorry 😞

ancient-diamond-80011

05/10/2023, 8:30 AM

added a tracking issue https://github.com/orgs/garden-io/projects/5/views/1?pane=issue&itemId=27806920 cc @calm-family-29323 @curved-intern-91221 @astonishing-tomato-18259 this is a must-have before the release

astonishing-tomato-18259

05/12/2023, 1:13 PM

Investigated this today. It seems we never code signed our binary for mac.

0.12.53

binary was also not code signed. It appears that the user had done ad-hoc code signing (https://developer.apple.com/documentation/security/seccodesignatureflags/1397793-adhoc) of garden binary on its own. Ad-hoc code signing basically means that you can code sign a binary using

codesign

utility without any signing identity or apple developer certificate. On verifying, it results in similar response:

Copy code

➜ $ codesign --verify -vv garden
garden: valid on disk
garden: satisfies its Designated Requirement

And once the user updated the version from 0.12.53 to 0.12.55, the ad-hoc signature became invalid and results in

invalid signature

error as the content of garden binary updated and resulted in SHA-1 signature mismatch. The codesigning of binaries is mandatory for any executables macOS 11 onwards however it doesn't apply to translated binaries that running under Rosetta2 which is currently the case for Garden binary. There's plan to publish native Apple silicon binary and then code signing will be mandatory. I created an issue to track code signing of our binaries: https://github.com/garden-io/garden/issues/4250

kind-france-89777

05/12/2023, 2:23 PM

Interesting!

10 Views

Previous Next