[Libreoffice-bugs] [Bug 126409] Notarize LibreOffice builds so that it launches without warnings on macOS 10.15 Catalina

Mon May 25 20:06:21 UTC 2020

https://bugs.documentfoundation.org/show_bug.cgi?id=126409

--- Comment #53 from eisa01 <eisa01 at gmail.com> ---
(In reply to Christian Lohmaier from comment #50)
> Creation of compiled py files (pyc) is also something that only happens
> after LO was launched. So similar to the languagepack installation it is a
> post-gatekeeper modification of the .app bundle. Not nice, for sure, but
> unrelated to gatekeeper/notarization when doing the first-launch
> verification by macOS
Ah, ok

> 
> a .app copied from the dmg to your local disk before launching it should
> verify:
Yup, I can also see that now

> (and launching it for the first time should show the dialog with the 
> "..downloaded from... checked by apple for malware and none was found"
> dialog.)
> 
> After having launched LO (or more specifically: doing something that
> triggers initialization of python, i.e. opening/creating a writer document →
> some writing aids use python → python creates it pyc files) I can confirm
> the python files messing up the integrity on disk, but as said: that is
> after LO was already green-lit by gatekeeper.
But I guess we have no guarantee that it doesn't cause problems (e.g., the
mysterious save-as issues)

At least after those python files are created, macOS doesn't treat the .app as
notarised any more if it does a recheck. Who knows when that happens, or if the
behaviour will change in a future system update

> ######### stapling ###########
> as for stapling: In LO's case: the thing you download is stapled, not just
> the contents, so the dmg has the notarization-staple-info for the app
> assigned to it.
> 
> ###
> > Opening the app for the first time does not show a "verify" progress bar as LO does,
> 
> likely because the Firefox app is too small/the scanning is fast enough to
> not make it trigger a dialog for that. If you mean verify progress when
> opening the dmg: that happens for firefox as well/any dmg, but that is just
> checksum based verification of the dmg for download errors.
Ah, true. Thanks for explaining all of this!

----

So in a nutshell: LO is notarised on first launch, but as soon as you do
something the .app bundle is corrupted and the .app is no longer notarised

So technically WFM, but I'm not sure there's any point in creating a new bug
"Notarisation corrupted" of "highest/critical" rating and readding everyone to
CC from this bug?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20200525/a1c4b877/attachment.htm>