#9148 closed defect (fixed)
Daily build Mac notarization failed after update to Python 3.11
Reported by: | = | Owned by: | Tom Goddard |
---|---|---|---|
Priority: | high | Milestone: | |
Component: | Build System | Version: | |
Keywords: | Cc: | Eric Pettersen, Zach Pearson | |
Blocked By: | Blocking: | ||
Notify when closed: | Platform: | all | |
Project: | ChimeraX |
Description
Notarization of the Mac arm, intel and universal daily builds failed last night. Apple complained about a python.o file not being signed in our distribution:
{ "logFormatVersion": 1, "jobId": "c509b35a-18f4-47da-8c28-5b055dadd14e", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "chimerax.dmg", "uploadDate": "2023-06-08T10:07:40Z", "sha256": "d50b7464b9b0e4e5e39151bb21617981b8d55619c8f1bef06f551777e4014bce", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "chimerax.dmg/ChimeraX_Daily.app/Contents/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/config-3.11-darwin/python.o", "message": "The binary is not signed.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": null }, { "severity": "error", "code": null, "path": "chimerax.dmg/ChimeraX_Daily.app/Contents/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/config-3.11-darwin/python.o", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": null } ] }
Change History (4)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Fixed I think.
I changed the notarize.py script to sign ".o" files even if lief fails to recognize them. There was already an exception in the script added a year ago for Mac ARM to handle ".a" files.
We are using lief version 0.12.1 from PyPi released April 7, 2022 installed on the build machines system python (/usr/bin/python3 on euclid.cgl.ucsf.edu and essex2.cgl.ucsf.edu). The current version is 0.13.1 released May 28, 2023 and it also does not recognize the python.o file. I did not update to 0.13.1 because it is not available for Python 3.8 and our Mac ARM build machine (macOS 12.x) has system Python version 3.8.
comment:3 by , 2 years ago
The daily build email failed to mention that notarization failed. This was because the notarize.py script returned success exit code 0. I fixed the notarize.py script so it raises an error if notarization completes but fails because Apple detected errors.
comment:4 by , 2 years ago
Component: | Unassigned → Build System |
---|
Our build_tools/macosx_package/notarize.py script did not sign this python.o file claiming it is not a MachO binary. This seems like a bug in the PyPi lief package that notarize.py uses because the shell "file python.o" command says it is a MachO binary. Here is what it says on euclid, our Mac ARM build machine: