Bug 8476 - Apple code signing cert is about to expire
Summary: Apple code signing cert is about to expire
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client platforms (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.19.0
Assignee: Samuel Mannehed
URL:
Keywords: linma_tester, prosaic
Depends on:
Blocks:
 
Reported: 2024-12-12 09:40 CET by Samuel Mannehed
Modified: 2025-02-19 16:10 CET (History)
1 user (show)

See Also:
Acceptance Criteria:
MUST: * The certificate we use must be valid for around the time we intend to do the 4.19.0 release, which is summer 2025. * Our certificate must work for signing and notarizing our macOS client. * The signed and notarized client must still work. SHOULD: * Our README instructions should be updated to match how things are done now.

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Samuel Mannehed cendio 2024-12-12 09:40:57 CET 
We have a certificate used for signing our client code for macOS. It will expire next spring and needs to be renewed.

The deadline is 2025-02-05.
Comment 1 Samuel Mannehed cendio 2024-12-12 09:43:41 CET 
The certificate was generated, downloaded and copied to the apple-signing machine we have. What remains is for the p12 file to be installed on the apple-signing machine, and for the changes to be committed:

 pki/codesign_apple.p12      | Bin 3045 -> 3296 bytes
 pki/codesign_apple_cert.der | Bin 1442 -> 1442 bytes
 pki/codesign_apple_csr.pem  |  24 +++++++++----------
 pki/codesign_apple_key.pem  |  56 ++++++++++++++++++++++----------------------
 4 files changed, 40 insertions(+), 40 deletions(-)

This will be done after the 4.18.0 release.
Comment 2 Samuel Mannehed cendio 2025-01-07 18:03:45 CET 
Following the instructions in ctc/pki/README, I got a codesign_apple.p12 which couldn't be used on our sign-server. It complained that the password for the certificate key was wrong, despite me double-checking that it was correct.

I am not sure why, but an upgrade from macOS 14 to macOS 15 resolved that issue.
Comment 4 Samuel Mannehed cendio 2025-01-07 18:12:47 CET 
The new certificate seems to work fine. I used ctc/buildtools/bin/download-sign-bundles to sign & notarize the macOS client, that process worked fine.

I then downloaded it from my workstation on our M1 mac in the lab to test. It installed and started just fine.

The instructions in our README needs some updating.
Comment 6 Samuel Mannehed cendio 2025-01-08 12:43:49 CET 
README has now been updated.

I also tested mouse, keyboard input, local drives, sound & mic with the newly signed Mac client. Works fine.
Comment 7 Linn cendio 2025-02-19 16:10:28 CET 
Tested on macOS 15.3 and things looks good.

> MUST:
> * The certificate we use must be valid for around the time we intend to do the
> 4.19.0 release, which is summer 2025.
Yes, the cert is valid until Q1 2027. Checked on the Apple website.
> * Our certificate must work for signing and notarizing our macOS client.
> * The signed and notarized client must still work.
Tested building the client iso and signing it manual through script "sign-macos-iso". When opening the iso on macOS, I did not get the popup regarding an untrusted application. Also logged in to the session and tested the mic, worked well.

> SHOULD:
> * Our README instructions should be updated to match how things are done now
Looked through the README and the changes there look good. On the signing server, I followed the new instructions (except for deleting the cert), and the additional info is correct.
Note You need to log in before you can comment on or make changes to this bug.