Bug 7469 - Apple notarization of the ThinLinc Client no longer works
Summary: Apple notarization of the ThinLinc Client no longer works
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client platforms (show other bugs)
Version: trunk
Hardware: Mac macOS
: P2 Normal
Target Milestone: 4.12.0
Assignee: Samuel Mannehed
URL:
Keywords: ossman_tester, prosaic
Depends on:
Blocks:
 
Reported: 2020-02-13 12:40 CET by Samuel Mannehed
Modified: 2020-03-27 13:45 CET (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Log from Apple for the latest successful notarization of tlclient (16.35 KB, application/json)
2020-02-13 12:40 CET, Samuel Mannehed 		Details
Log from Apple for a failed notarization of tlclient after Feb 3 2020 (11.22 KB, application/json)
2020-02-13 12:41 CET, Samuel Mannehed 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Samuel Mannehed cendio 2020-02-13 12:40:45 CET 
Created attachment 922 [details]
 Log from Apple for the latest successful notarization of tlclient

Since Feb 3 2020 Apple have made the requirements more strict for notarizing apps:

https://developer.apple.com/news/?id=12232019a

Ever since we started notarizing the macOS tlclient in bug 7371 we have gotten warnings about pulseaudio, ssh and all other help-binaries that the ThinLinc Client uses. Now with the new strict prerequisites these warnings have turned into errors.
Comment 1 Samuel Mannehed cendio 2020-02-13 12:41:28 CET 
Created attachment 923 [details]
 Log from Apple for a failed notarization of tlclient after Feb 3 2020
Comment 2 Samuel Mannehed cendio 2020-02-14 15:53:52 CET 
There are three different problems with the package that the notarization complains about:

 * libraries and sub-binaries are not signed
 * libraries and sub-binaries do not have a timestamp
 * main app and sub-binaries does not have hardened runtime enabled
Comment 3 Samuel Mannehed cendio 2020-02-14 16:14:10 CET 
We currently sign only the main app with the options deep and timestamp. This resource at developer.apple.com says it's not recommended to use --deep:

https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG404

> Important: While the --deep option can be applied to a signing operation, this is not recommended. We recommend that you sign code inside out in individual stages (as Xcode does automatically). Signing with --deep is for emergency repairs and temporary adjustments only

So we should ideally not sign with --deep anymore.

(In reply to comment #2)
>  * libraries and sub-binaries are not signed
>  * libraries and sub-binaries do not have a timestamp

I tested manually signing each binary and library that the notarization complained about with --timestamp, and then signing the main app without --deep. After I tried notarizing that one it no longer complained about the above two issues.

We should try to make the script find which files in the bundle that needs signing without a hard-coded list.
Comment 15 Samuel Mannehed cendio 2020-03-02 15:22:45 CET 
Should be ready for testing now.
Comment 16 Pierre Ossman cendio 2020-03-27 13:45:28 CET 
Seems to work fine.

I followed our signing instructions which correctly signed and notarised the client. It was accepted by macOS 10.15 both when downloaded as a .iso or the entire client bundle. (A dialog popped up where it was possible to click "open")

I tested:

 * Local drives
 * Smart cards
 * Local printer
 * Audio playback
 * Audio recording

Everything works correctly.
Note You need to log in before you can comment on or make changes to this bug.