fpcalc 1.5.1

[barry 2manyrobots.com]

Hi Lukás,

I saw your tweet today about the Apple Silicon capable version of fpcalc. Thanks for getting this out.

There is an issue. The binary is signed but it is not hardened or notarized. If it was hardened I could bundle it in my app and Xcode would handle the notarization. As it is not hardened, it can’t be notarized.

I can download and post install it as I did in the past but Monterey is now very strict. Prior to Monterey it just worked.

In order to get it to work on Monterey, I will have to do the following after installation:

- run the binary in a shell which will fail.
- tell the user to open system preferences Security & Privacy - General and allow the app to run
- run it again from a terminal and tell the user to manually accept it.
- at that point it will be okay.

Is there any chance to get a hardened version?

Have a great Christmas and a happy New Year.

Best regards,

Barry

p.s. sorry about the double address. I always used the first but saw the googlegroups address online.

[Lukáš Lalinský]

Hi Barry,

I'm pretty much lost at building for the recent macos versions, so I might need some help.

Looking at some docs right now, hardening is done at codesign level, not at compile level.

It seems like the only requirements is to use 10.9 as the minimum target and then it should he possible to enable hardening using codesign. The problem is that while the ARM binary is built for macos 11.0, the X86_64 one has 10.8 as the target.

So it seems like if I bump the target version, you should be able to get your app (with fpcalc included) notarized?

I'll try to do that and send a link to you, as I'll need help with testing it.

Lukáš

--
You received this message because you are subscribed to the Google Groups "AcoustID" group.
To unsubscribe from this group and stop receiving emails from it, send an email to acoustid+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/acoustid/1D89CCCA-0D42-48D3-859C-EDB43907AFD6%402manyrobots.com.

[barry 2manyrobots.com]

Hi Lukáš,

This entire hardening/notarization process is a nightmare.  I spend as much time waiting for notarizations as developing.

My target OS is 10.10 and is a universal build and everything works.  The version of fpcalc I downloaded is also a universal build.  It should be able to be hardened.  The OS level works for them as the ARM part can only function on 11.0 or higher ... so a universal build with a target of 10.10 works fine. ... at least that's the way it works in Xcode.  I image it would work the same for command line builds.

If you do end up bumping the version number I won't be able to bundle it as I have to support 10.10 and the target OS affects both Intel and ARM builds. As I said .... a nightmare.

I'll be glad to test whatever you come up with.

Best regards,

Barry

[Philipp Wolfer]

Hi,

Am Fr., 24. Dez. 2021 um 05:17 Uhr schrieb Lukáš Lalinský <lali...@gmail.com>:

Looking at some docs right now, hardening is done at codesign level, not at compile level.

Yes, this is done using codesign with the "--options runtime" parameter. For MusicBrainz Picard we just sign the fpcalc executable with the MetaBrainz signing keys, that way we can notarize the entire package.

Barry, that might also be a solution for you. Download the fpcalc from the chromaprint release page, do a checksum check to be sure it is the correct one and then codesign it with your apps keys.

I think for people shipping fpcalc as part of their app this usually would work. In general it would be of course nice if the chromaprint binaries already came codesigned by AcoustID. But that requires a yearly Apple subscription.

 

It seems like the only requirements is to use 10.9 as the minimum target and then it should he possible to enable hardening using codesign. The problem is that while the ARM binary is built for macos 11.0, the X86_64 one has 10.8 as the target.

So it seems like if I bump the target version, you should be able to get your app (with fpcalc included) notarized?

I'm not sure, I think the minimum target can be lower. It just needs to be build on 10.9 or later.

Has this changed with that release? We have been notarizing Picard with fpcalc 1.5 happily before, so if the minimum supported OS version was 10.8 before I think it should be fine for the 1.5.1 release as well.

Philipp

[Lukáš Lalinský]

On Fri, Dec 24, 2021 at 11:21 AM Philipp Wolfer <ph.w...@gmail.com> wrote:

It seems like the only requirements is to use 10.9 as the minimum target and then it should he possible to enable hardening using codesign. The problem is that while the ARM binary is built for macos 11.0, the X86_64 one has 10.8 as the target.

So it seems like if I bump the target version, you should be able to get your app (with fpcalc included) notarized?

I'm not sure, I think the minimum target can be lower. It just needs to be build on 10.9 or later.

The previous version of Chromaprint was built without specifying any target, so it was using the macOS version on which it was built and that was definitely newer than 10.9.

With 1.5.1, the target versions are explicitly specified:

 - 10.8 for the Intel version

 - 11.0 for the Apple version

But it looks like the hardened runtime is only available for 10.9 and newer. I'm doing a new build with 10.9 as the target for Intel CPUs, which should help.

Barry, can you try the macos-universal artifact from this build?

https://github.com/acoustid/chromaprint/actions/runs/1618986761

Lukas