Codesigning & notarizing

matthias_livecode_150811 at m-r-d.de matthias_livecode_150811 at m-r-d.de
Fri Feb 5 18:59:55 EST 2021 

@Marty,

Great to hear that you finally got it working.

What i do not understand is why the code signed (without entitlements) sample standalone did run w/o crashing here, but on your Macs it crashed, although we are both using the same macOS version.
Anyway, using entitlements for code signing is recommended and easy to manage.

Matthias



-
Matthias Rebbe
Life Is Too Short For Boring Code

> Am 05.02.2021 um 21:24 schrieb Marty Knapp via use-livecode <use-livecode at lists.runrev.com>:
> 
> After much hair pulling and some help from Matthias I seem to have this solved. It appears that starting with LC 9.6.2 “entitlements” are needed even for web deployment (at least in the case of including revzip). The really weird part of this was if I swapped in the revzip bundle from 9.6.1 after building the standalone then entitlements were not needed. 
> 
> So for anyone else who runs into this, you can use the same entitlements that Livecode uses (in an entitlements.plist file):
> 
> <dict>
> 	<key>com.apple.security.cs.allow-jit</key>
> 	<true/>
> 	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
> 	<true/>
> 	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
> 	<true/>
> 	<key>com.apple.security.cs.disable-library-validation</key>
> 	<true/>
> 	<key>com.apple.security.cs.disable-executable-page-protection</key>
> 	<true/>
> 	<key>com.apple.security.device.audio-input</key>
> 	<true/>
> 	<key>com.apple.security.device.camera</key>
> 	<true/>
> 	<key>com.apple.security.personal-information.location</key>
> 	<true/>
> 	<key>com.apple.security.personal-information.addressbook</key>
> 	<true/>
> 	<key>com.apple.security.personal-information.photos-library</key>
> 	<true/>
> 	<key>com.apple.security.automation.apple-events</key>
> 	<true/>
> </dict> 
> 
> In Levure I used the same data above but saved into a “my app name.entitlements” file and then configured the app.yml file appropriately
> 
> In AppWrapper you need to set the the following under Hardened Runtime:
> Allow Execution of JIT-complied code
> Allow Unsigned executable memory
> Allow DYLD environment variables
> Disable library validation
> Disable executable memory protection
> 
> Marty
> 
> 
>> On Feb 4, 2021, at 2:28 PM, Marty Knapp <martyknappster at gmail.com> wrote:
>> 
>> I just updated to Xcode 11.3 and still have the issue. With revzip included, building with 9.6.2 it works fine *until* I codesign - either with the Levure app packager or with AppWrapper (tried versions 3 and 4) As soon as it starts to launch it crashes. If I take out revzip the app will open fine when code signed.
>> 
>> If rev zip was damaged it would not work in the unsigned app. Anything else that I should check? This is really frustrating.
>> 
>> Marty
>> 
>>> On Feb 4, 2021, at 1:09 PM, panagiotis merakos via use-livecode <use-livecode at lists.runrev.com> wrote:
>>> 
>>> Thanks for testing Matthias :)
>>> 
>>> On Thu, 4 Feb 2021, 23:08 Paul Dupuis via use-livecode, <
>>> use-livecode at lists.runrev.com> wrote:
>>> 
>>>> I should have added that we sign with entitlements (the same set LC uses)
>>>> 
>>>> On 2/4/2021 3:56 PM, panagiotis merakos via use-livecode wrote:
>>>>> @Marty
>>>>> 
>>>>> If you have not done it already, it might be worth adding entitlements to
>>>>> the codesign.
>>>>> 
>>>>> 
>>>> https://lessons.livecode.com/m/4071/l/1293515-entitlements-for-signed-and-notarized-apps
>>>>> 
>>>>> I do not think it is the Xcode version that is the problem. I am on
>>>> Mojave
>>>>> as well, so I can do a quick test if you send me the standalone that
>>>>> crashes. Also make sure you attach the stack to the bug report :)
>>>>> 
>>>>> Kind regards,
>>>>> Panos
>>>>> --
>>>>> 
>>>>> On Thu, 4 Feb 2021 at 22:47, Paul Dupuis via use-livecode <
>>>>> use-livecode at lists.runrev.com> wrote:
>>>>> 
>>>>>> I should add, we're not using Levure. We are using LC9.6.2rc2, we
>>>>>> codesign via Terminal on Mohave using Xcode 10.2.1
>>>>>> 
>>>>>> On 2/4/2021 3:37 PM, Paul Dupuis via use-livecode wrote:
>>>>>>> FYI - Our App includes the revZIP library. We codesign deep via
>>>>>>> Terminal command and get no crashes. Codesign, notarize, and staple
>>>>>>> without problems.
>>>>>>> 
>>>>>>> 
>>>>>>> On 2/4/2021 2:40 PM, Marty Knapp via use-livecode wrote:
>>>>>>>> Re: building a standalone in LC 9.6.2 rc2 with the “Revolution Zip”
>>>>>>>> library (crashes when codesigned)
>>>>>>>> 
>>>>>>>> Just filed a bug report on this - 23083
>>>>>>>> 
>>>>>>>> Marty
>>>>>>>> 
>>>>>>>>> On Feb 4, 2021, at 11:25 AM, Marty Knapp <martyknappster at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>> I’ve narrowed this down to the “Revolution Zip” library. If I leave
>>>>>>>>> that out of Inclusions, I can build in 9.6.2 and codesign and all is
>>>>>>>>> well.
>>>>>>>>> 
>>>>>>>>> marty
>>>>>>>>> 
>>>>>>>>>> On Feb 3, 2021, at 2:59 PM, Mark Talluto via use-livecode
>>>>>>>>>> <use-livecode at lists.runrev.com> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi Marty,
>>>>>>>>>> 
>>>>>>>>>> My work is with LiveCode 9.6.2 rc2 and Xcode 11.3.1.
>>>>>>>>>> 
>>>>>>>>>> I have only a cursory understanding of Levure. From what I read,
>>>>>>>>>> Trevor has methods to codesign and even notarize inside of Levure’s
>>>>>>>>>> framework.
>>>>>>>>>> 
>>>>>>>>>> If your testing with a basic stack works as expected, maybe some
>>>>>>>>>> interaction is happening with the Levure Framework project. I am
>>>>>>>>>> certain Trevor knows best what may be happening here.
>>>>>>>>>> 
>>>>>>>>>> When you find out, please post back what you learn.
>>>>>>>>>> 
>>>>>>>>>> Best regards,
>>>>>>>>>> 
>>>>>>>>>> Mark Talluto
>>>>>>>>>> livecloud.io <http://livecloud.io/>
>>>>>>>>>> nursenotes.net <http://nursenotes.net/>
>>>>>>>>>> canelasoftware.com <http://www.canelasoftware.com/>
>>>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> use-livecode mailing list
>>>>>>>> use-livecode at lists.runrev.com
>>>>>>>> Please visit this url to subscribe, unsubscribe and manage your
>>>>>>>> subscription preferences:
>>>>>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> use-livecode mailing list
>>>>>>> use-livecode at lists.runrev.com
>>>>>>> Please visit this url to subscribe, unsubscribe and manage your
>>>>>>> subscription preferences:
>>>>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>>>> 
>>>>>> _______________________________________________
>>>>>> use-livecode mailing list
>>>>>> use-livecode at lists.runrev.com
>>>>>> Please visit this url to subscribe, unsubscribe and manage your
>>>>>> subscription preferences:
>>>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>>>> 
>>>>> _______________________________________________
>>>>> use-livecode mailing list
>>>>> use-livecode at lists.runrev.com
>>>>> Please visit this url to subscribe, unsubscribe and manage your
>>>> subscription preferences:
>>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>> 
>>>> 
>>>> _______________________________________________
>>>> use-livecode mailing list
>>>> use-livecode at lists.runrev.com
>>>> Please visit this url to subscribe, unsubscribe and manage your
>>>> subscription preferences:
>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>> 
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>> 
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list