[cbi-dev] Be aware of changes in Mac executable signing service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[cbi-dev] Be aware of changes in Mac executable signing service

From: David M Williams <david_williams@xxxxxxxxxx>
Date: Wed, 15 Oct 2014 13:57:13 -0400
Delivered-to: cbi-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cbi-dev>
List-help: <mailto:cbi-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=unsubscribe>

In case you haven't heard by now, Apple has changed its "signing rules" for *.app bundles (effective with Maverick 10.9.5) [1].
This is one reason we get some bug reports of "not signed" from Mac Users, and for the time being, all we can do is to point them to the "user work-around" to by-pass the security check. [2]

But, it also leads to several things that committers who use the "mac signing" service at the Eclipse Foundation should be aware of.

First and foremost, thanks to the webmasters tireless efforts, the "infrastructure" changes to use the new signing tools are in place (or, nearly so). [3] [4]

Second, and still an unsolved issue, the "new rules" basically say "no resources in code executable directories" and "Everything under X.app is sealed and can not be changed" (that is, can not be changed, without invalidating the signature). The creates an immediate problem for our "eclipse.ini" file [5] and prevents some longer term "quick fixes" we had in mind to distribute "Mac Apps" instead of our current scheme of distributing a zipped up directory that "points to" a "Mac App" [6].

So, I wanted to give notice to this list -- please comment on any of the bugs if you have suggestions for improvements or can help with fixes such as for the eclipse.ini problem [5].

In a perfect world, we'd have "plenty of Macs" and a large support staff, and then have a transition period where the "old signing tool" still worked for a while, but am sure you all understand we have constrained resources, so have to make the change "all at once". If anyone uses this signing service (independent of the Eclipse Platform) you'll need to be aware of the changes and make changes to your code and may have to disable signing until you do (or, else the build will fail, with a "failed to sign" error). And, I suspect, we may learn more, as we go along.

Once the dust settles a little, a version of this note should go out to "the committers" list ... but, I thought "cbi-dev" was a good place to start, in case there is any "cbi discussion" that should happen first.

Thanks for reading,

[1] https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG205
[2] https://discussions.apple.com/thread/6551715
[3] Bug 445050 - Need to update "Mac signing service"
[4] Bug 447410 - Change "mac signing" PHP script to adhere to Apple's new rules.
[5] Bug 446390 - Change location of eclipse.ini (for Max OS X signing)
[6] Bug 431116 - Releases for Mac OS X should be bundled as a proper "Mac App" and/or "Library"

Prev by Date: Re: [cbi-dev] [platform-dev] Splitting SonarQube analysis?
Next by Date: [cbi-dev] A note on Eclipse hardware
Previous by thread: Re: [cbi-dev] [platform-dev] Splitting SonarQube analysis?
Next by thread: [cbi-dev] A note on Eclipse hardware
Index(es):
- Date
- Thread

Breadcrumbs