Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#9148 closed defect (fixed)

Daily build Mac notarization failed after update to Python 3.11

Reported by: = Owned by: Tom Goddard
Priority: high Milestone:
Component: Build System Version:
Keywords: Cc: Eric Pettersen, Zach Pearson
Blocked By: Blocking:
Notify when closed: Platform: all
Project: ChimeraX

Description

Notarization of the Mac arm, intel and universal daily builds failed last night. Apple complained about a python.o file not being signed in our distribution:

{
  "logFormatVersion": 1,
  "jobId": "c509b35a-18f4-47da-8c28-5b055dadd14e",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "chimerax.dmg",
  "uploadDate": "2023-06-08T10:07:40Z",
  "sha256": "d50b7464b9b0e4e5e39151bb21617981b8d55619c8f1bef06f551777e4014bce",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "chimerax.dmg/ChimeraX_Daily.app/Contents/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/config-3.11-darwin/python.o",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": null
    },
    {
      "severity": "error",
      "code": null,
      "path": "chimerax.dmg/ChimeraX_Daily.app/Contents/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/config-3.11-darwin/python.o",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": null
    }
  ]
}

Change History (4)

comment:1 by Tom Goddard, 2 years ago

Our build_tools/macosx_package/notarize.py script did not sign this python.o file claiming it is not a MachO binary. This seems like a bug in the PyPi lief package that notarize.py uses because the shell "file python.o" command says it is a MachO binary. Here is what it says on euclid, our Mac ARM build machine:

$ file python.o
python.o: Mach-O universal binary with 2 architectures: [x86_64:LLVM bitcode, wrapper x86_64
- LLVM bitcode, wrapper x86_64] [arm64:LLVM bitcode, wrapper
- LLVM bitcode, wrapper]
python.o (for architecture x86_64):	LLVM bitcode, wrapper x86_64
python.o (for architecture arm64):	LLVM bitcode, wrapper

comment:2 by Tom Goddard, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed I think.

I changed the notarize.py script to sign ".o" files even if lief fails to recognize them. There was already an exception in the script added a year ago for Mac ARM to handle ".a" files.

We are using lief version 0.12.1 from PyPi released April 7, 2022 installed on the build machines system python (/usr/bin/python3 on euclid.cgl.ucsf.edu and essex2.cgl.ucsf.edu). The current version is 0.13.1 released May 28, 2023 and it also does not recognize the python.o file. I did not update to 0.13.1 because it is not available for Python 3.8 and our Mac ARM build machine (macOS 12.x) has system Python version 3.8.

comment:3 by Tom Goddard, 2 years ago

The daily build email failed to mention that notarization failed. This was because the notarize.py script returned success exit code 0. I fixed the notarize.py script so it raises an error if notarization completes but fails because Apple detected errors.

comment:4 by Eric Pettersen, 2 years ago

Component: UnassignedBuild System
Note: See TracTickets for help on using tickets.