[Libreoffice-bugs] [Bug 126409] Notarize LibreOffice builds so that it launches without warnings on macOS 10.15 Catalina
bugzilla-daemon at bugs.documentfoundation.org
bugzilla-daemon at bugs.documentfoundation.org
Sat May 23 09:41:58 UTC 2020
https://bugs.documentfoundation.org/show_bug.cgi?id=126409
--- Comment #49 from eisa01 <eisa01 at gmail.com> ---
Created attachment 161186
--> https://bugs.documentfoundation.org/attachment.cgi?id=161186&action=edit
Failed code sign due to Python framework
The code-signing shows non-clean results on a fresh install (no language pack),
no ticket is stapled, and the command line tool does not report LO as notarised
>spctl -vvv --assess --type exec LibreOffice.app/
>LibreOffice.app/: a sealed resource is missing or invalid
See attachment for full output
>codesign --verify --deep --verbose LibreOffice.app/
>LibreOffice.app/: a sealed resource is missing or invalid
In subcomponent:
This is a regression from when you tested this autumn in comment #24
I haven't opened a new bug about that as the issues are a bit related, or?
As per comment #41 passing -vvv is a requirement for notarisation: _The strict
flag increases the restrictiveness of the validation to match that required by
notarization._
Also, LO should possibly have the ticket stapled to it:
>> a degraded user experience, as the first time a user runs a new executable,
>>Apple delays execution while waiting for a reply from their server.
>The way to avoid this behavior is to staple the notarization ticket to your
>bundle (or dmg/pkg), i.e. "/usr/bin/stapler staple <path>."
>Otherwise, Gatekeeper will fetch the ticket and staple it for the user
>on the first run.
>I'm the author of xcnotary [1], a tool to make notarization way less
>painful, including uploading to Apple/polling for
>completion/stapling/troubleshooting various code signing issues.)
>[1] https://github.com/akeru-inc/xcnotary
https://news.ycombinator.com/item?id=23273396
>stapler validate LibreOffice.app/
>Processing: /Applications/LibreOffice.app
>LibreOffice.app does not have a ticket stapled to it.
For some reason there's no ticket stapled after first run either, which
indicates it's not fully compliant given what the author of the xcnotary tool
says?
---
Checking another popular open source app, Firefox, seems to have everything
working in contrast to LO. Opening the app for the first time does not show a
"verify" progress bar as LO does, and all the required steps above are
satisified (all of these fail on LO)
>stapler validate Firefox.app/
>Processing: /Applications/Firefox.app
>The validate action worked!
>spctl -vvv --assess --type exec Firefox.app/
>Firefox.app/: accepted
>source=Notarized Developer ID
>origin=Developer ID Application: Mozilla Corporation (43AQ936H96)
>codesign --verify --deep --verbose Firefox.app/
>Firefox.app/: valid on disk
>Firefox.app/: satisfies its Designated Requirement
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20200523/404ba6b4/attachment-0001.htm>
More information about the Libreoffice-bugs
mailing list