Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] - macOS binaries can't be opened because of "X can’t be opened because it is from an unidentified developer" error #3285

Open
arielelkin opened this issue Oct 11, 2021 · 8 comments
Labels
bug Something isn't working

Comments

@arielelkin
Copy link

Internal/External
External otherwise.

Area
Other Any other topic (Delegation, Ranking, ...).

Summary
Trying to open any of the macOS binaries results in this error message:

X can’t be opened because it is from an unidentified developer

System info (please complete the following information):

  • OS Name: macOS
  • OS Version 11.6

Additional context
None of the macOS binaries work out of the box as they and their associated dylibs haven't been codesigned, which results in macOS's Gatekeeper preventing their execution and showing an error message

X can’t be opened because it is from an unidentified developer

Having to sudo, or right-click open, or changing Security settings on an ad-hoc basis for every single binary and dylib is not a viable solution. It's not aligned with platform standards, it's not user-friendly, and it's an unnecessary hurdle for novice programmers.

Also see cardano-foundation/cardano-wallet#2966

@Jimbo4350
Copy link
Contributor

Closing this. If this is still relevant please reopen.

@arielelkin
Copy link
Author

@Jimbo4350 I think this issue is still relevant, but I don't have the ability to reopen. Could you please reopen?

@Jimbo4350
Copy link
Contributor

I've asked for input from @newhoggy

@Jimbo4350 Jimbo4350 reopened this Oct 29, 2022
@newhoggy
Copy link
Contributor

Reproduced on this download: https://hydra.iohk.io/build/17428186

Screen Shot 2022-10-31 at 2 35 40 pm

@newhoggy
Copy link
Contributor

This is the current situation:

We only sign Mac binaries in Daedalus.
Signing and notarization isn't part of the normal CI.
That could potentially change with our new CI build system, but don't expect it anytime soon.

@arielelkin
Copy link
Author

What's your rationale for not signing Mac binaries?

@disassembler
Copy link
Contributor

Signing is easy, automation of notarization is a bear, and upstream apple keeps breaking our process (for Daedalus signing) that usually halts the release process for weeks waiting for legal sign off for new license agreements, or a forced upgrade to a new version of osx because Xcode needs upgraded, etc... Windows is just as much a pain being connected to an HSM that needs manually touched every few weeks. Because the automation around signing windows and Mac binaries is so complicated we only do it with Daedalus releases at the moment. If everyone would just adopt regular pgp signatures across all platforms my life would be a lot easier...

@arielelkin
Copy link
Author

@disassembler if you have signing set up, notarization is just these two commands:

xcrun notarytool submit $PATH_TO_SIGNED_BINARY \
    --apple-id $IOG_APPLEID \
    --password $IOG_APPLEID_PASSWORD \
    --team-id $IOG_TEAMID \
    --progress \
    --wait

xcrun stapler staple $PATH_TO_SIGNED_BINARY

Have you tried adding that to your CI pipeline?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants