Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cli): add macos hardened runtime signing config option #9318

Merged
merged 8 commits into from
Jun 5, 2024
Merged

feat(cli): add macos hardened runtime signing config option #9318

merged 8 commits into from
Jun 5, 2024

Conversation

thewh1teagle
Copy link
Contributor

@thewh1teagle thewh1teagle commented Mar 31, 2024
edited
Loading

In macOS, when building dmg with ad-hoc signature, and the app depends on Frameworks (dynamic shared libraries, dylib files), they won't load and the app will crash with error message box.

I found that if we disable signing flag in macOS bundler passed from tauri-cli, it won't crash.
the flag which passed is --option runtime in tooling/bundler/src/bundle/macos/sign.rs#L210

crash log 
Termination Reason:    Namespace DYLD, Code 1 Library missing
Library not loaded: @rpath/libavcodec.60.dylib
Referenced from: <D007FD2C-8AD0-336A-944D-C186621D1CEF> /Volumes/VOLUME/vibe.app/Contents/MacOS/vibe
Reason: tried: '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' (code signature in <BEFA8967-6321-3361-9151-FF5EE424F751> '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' (code signature in <BEFA8967-6321-3361-9151-FF5EE424F751> '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)
(terminated at launch; ignore backtrace)
man codesign 
     -o, --options flag,...
             During signing, specifies a set of option flags to be embedded in
             the code signature. The value takes the form of a comma-separated
             list of names (with no spaces). Alternatively, a numeric value
             can be used to directly specify the option mask (CodeDirectory
             flag word). See OPTION FLAGS below.

Flags:
             runtime              Preserve the hardened runtime version (-o
                                  runtime flag, --runtime-version option)
                                  instead of overriding or deriving the
                                  version.

This PR introduce a way to control the flag through tauri.conf.json:

  "bundle": {
    "macOS": {
      "signingIdentity": "-",
      "hardenedRuntime": false
    }
  }

I believe that macOS bundling process needs to be much more flexible.
Currently I have no other option to control the final signing of the app, and tauri enforce this runtime flag, as a result the final binary can't run and I can't publish it for macOS (arm).

meanwhile for testing the app, it's possible to resign it:

codesign --force --deep -s "-" /Applications/vibe.app
hdiutil create -format UDZO -srcfolder some_app.app signed.dmg

@thewh1teagle thewh1teagle requested a review from a team as a code owner March 31, 2024 21:04
@lucasfernog lucasfernog changed the title feat(cli): add macos signing config option feat(cli): add macos hardened runtime signing config option Apr 2, 2024
@thewh1teagle
Copy link
Contributor Author

Just a gentle reminder: I'm currently unable to test my app build locally due to the damaged dmg release caused by the default hardened option. It's impacting my development process. Any chance we could prioritize merging the PR? Appreciate your attention to this matter!

FabianLars
FabianLars requested changes Jun 5, 2024
View reviewed changes
Copy link
Member

@FabianLars FabianLars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, just some smaller things and then it's good to go :)

@thewh1teagle
Copy link
Contributor Author

Thanks for the review : - )
Edited as suggested

@FabianLars FabianLars merged commit 656a649 into tauri-apps:dev Jun 5, 2024
33 checks passed
@github-actions github-actions bot mentioned this pull request Jun 5, 2024
Merged
pewsheen pushed a commit to pewsheen/tauri that referenced this pull request Jun 13, 2024
@thewh1teagle @lucasfernog @pewsheen
feat(cli): add macos hardened runtime signing config option (tauri-ap…
ecab164 
…ps#9318)

* feat(cli): add macos signing config option

* rename option to hardened_runtime

* chore(cli): use default true in hardened runtime config

---------

Co-authored-by: Lucas Nogueira <[email protected]>
@github-actions github-actions bot mentioned this pull request Jul 2, 2024
Merged
FabianLars added a commit that referenced this pull request Jul 4, 2024
@FabianLars @lucasfernog
feat(cli): add macos hardened runtime signing config option (#9318)
6938d0e 
* feat(cli): add macos signing config option

* rename option to hardened_runtime

* chore(cli): use default true in hardened runtime config

---------

Co-authored-by: Lucas Nogueira <[email protected]>
@FabianLars FabianLars mentioned this pull request Jul 4, 2024
Merged
amrbashir pushed a commit that referenced this pull request Jul 8, 2024
@FabianLars @lucasfernog
feat(cli): add macos hardened runtime signing config option (#9318) (#…
0aa0378 
…10199)

* feat(cli): add macos signing config option

* rename option to hardened_runtime

* chore(cli): use default true in hardened runtime config

---------

Co-authored-by: Lucas Nogueira <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FabianLars FabianLars FabianLars approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thewh1teagle @FabianLars @lucasfernog