Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cli): add macos hardened runtime signing config option #9318

Open
wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

feat(cli): add macos hardened runtime signing config option #9318

wants to merge 3 commits into from
+40 −1

Conversation

thewh1teagle
Copy link
Contributor

@thewh1teagle thewh1teagle commented Mar 31, 2024
edited by lucasfernog

In macOS, when building dmg with ad-hoc signature, and the app depends on Frameworks (dynamic shared libraries, dylib files), they won't load and the app will crash with error message box.

I found that if we disable signing flag in macOS bundler passed from tauri-cli, it won't crash.
the flag which passed is --option runtime in tooling/bundler/src/bundle/macos/sign.rs#L210

crash log 
Termination Reason:    Namespace DYLD, Code 1 Library missing
Library not loaded: @rpath/libavcodec.60.dylib
Referenced from: <D007FD2C-8AD0-336A-944D-C186621D1CEF> /Volumes/VOLUME/vibe.app/Contents/MacOS/vibe
Reason: tried: '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' (code signature in <BEFA8967-6321-3361-9151-FF5EE424F751> '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' (code signature in <BEFA8967-6321-3361-9151-FF5EE424F751> '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)
(terminated at launch; ignore backtrace)
man codesign 
     -o, --options flag,...
             During signing, specifies a set of option flags to be embedded in
             the code signature. The value takes the form of a comma-separated
             list of names (with no spaces). Alternatively, a numeric value
             can be used to directly specify the option mask (CodeDirectory
             flag word). See OPTION FLAGS below.

Flags:
             runtime              Preserve the hardened runtime version (-o
                                  runtime flag, --runtime-version option)
                                  instead of overriding or deriving the
                                  version.

This PR introduce a way to control the flag through tauri.conf.json:

  "bundle": {
    "macOS": {
      "signingIdentity": "-",
      "hardenedRuntime": false
    }
  }

I believe that macOS bundling process needs to be much more flexible.
Currently I have no other option to control the final signing of the app, and tauri enforce this runtime flag, as a result the final binary can't run and I can't publish it for macOS (arm).

@thewh1teagle thewh1teagle requested a review from a team as a code owner March 31, 2024 21:04
@lucasfernog lucasfernog changed the title feat(cli): add macos signing config option feat(cli): add macos hardened runtime signing config option Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@thewh1teagle @lucasfernog