macOS/signing - Trying to make sense of calling `spctl --assess` before notarization
454 views
Skip to first unread message
shri...@firemail.cc
Oct 27, 2021, 1:44:35 PM10/27/21
to chromi...@chromium.org
I'm going over and playing with chrome/installer/mac/signing for
educational purposes, and I find it hard to understand when does it make
sense to have a signing config that has |run_spctl_assess| set to True.
The call to spctl takes place in validate_app() which is called from
sign_chrome() in parts.py. According to the comment above the call to
validate_app(), the function should "Display the code signature", but
when |run_spctl_assess| is True it runs an actual spctl assessment that
throws a CalledProcessError exception if the target is rejected. The
call to notarize.submit() takes place only after
_customize_and_sign_chrome(), which is the function that calls
sign_chrome(), returns, so I don't understand how calling validate_app()
with |run_spctl_assess| set to True could ever succeed.
My experiments included running spctl before and after notarization, and
the results are as expected. Before notarizing, the assessment is
rejected with "source=Unnotarized Developer ID", and after notarizing,
it is accepted with "source=Notarized Developer ID".
In addition, I encountered a comment on Apple's Developer Forums
(https://developer.apple.com/forums/thread/661266?answerId=635119022#635119022)
where a tech support representative claims that running spctl before
notarization makes no sense.
educational purposes, and I find it hard to understand when does it make
sense to have a signing config that has |run_spctl_assess| set to True.
The call to spctl takes place in validate_app() which is called from
sign_chrome() in parts.py. According to the comment above the call to
validate_app(), the function should "Display the code signature", but
when |run_spctl_assess| is True it runs an actual spctl assessment that
throws a CalledProcessError exception if the target is rejected. The
call to notarize.submit() takes place only after
_customize_and_sign_chrome(), which is the function that calls
sign_chrome(), returns, so I don't understand how calling validate_app()
with |run_spctl_assess| set to True could ever succeed.
My experiments included running spctl before and after notarization, and
the results are as expected. Before notarizing, the assessment is
rejected with "source=Unnotarized Developer ID", and after notarizing,
it is accepted with "source=Notarized Developer ID".
In addition, I encountered a comment on Apple's Developer Forums
(https://developer.apple.com/forums/thread/661266?answerId=635119022#635119022)
where a tech support representative claims that running spctl before
notarization makes no sense.
Jason12 C12
Oct 29, 2021, 2:14:29 PM10/29/21
to Chromium-dev, shri...@firemail.cc
You can search around the web for discussions about this. I don't have inside knowledge about this, but I think the following article in the context of Electron development and similar articles point out the basic idea:
My summary is...
- originally there was just signing
- electron build tools used spctl to confirm signing worked.
- then Apple started requiring notarizing
- electron build tools started to add support for notarizing. That code was executed after the call to spctl
- then spctl's behavior changed to also test for notarizing
As a result, builds of electron apps tended to fail when building for MacOS. I don't know if anyone has made a proper fix to this. I know there's a electron-builder flag ("gatekeeperAssess") that supposedly turns off the spctl check, but my experience suggests that this flag is ignored and spctl is still always called, but also... if spctl indicates that the problem is Unnotarized Developer ID, the error/warning is ignored by the electron build process. Perhaps someone deemed that to be a proper fix.
I believe you're not asking about Electron, but perhaps something similar occurred in the context of your development pipeline.
Reply all
Reply to author
Forward
0 new messages