08-16-2024, 07:09 PM | #16 |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
Okay, I tested using a Sigil.dmg and when downloaded from github to my Mac it sure enough had the com.apple.quarantine attribute set.
kbhend@MacBook-Pro Desktop % ls -a@l *.dmg -rw-r--r--@ 1 kbhend staff 198173869 16 Aug 19:04 Sigil.dmg com.apple.macl 72 com.apple.metadata:kMDItemDownloadedDate 53 com.apple.metadata:kMDItemWhereFroms 684 com.apple.quarantine 57 but worse yet, after double clicking it and copying the Sigil.app out of it, it too was marked with com.apple.quarantine and it generated that horrid error message even though it was properly signed and notarized. So using dmg is not going to work either unless I can somehow sign and notarize an entire dmg. Not something I want to do. Last edited by KevinH; 08-16-2024 at 07:41 PM. |
08-16-2024, 07:21 PM | #17 |
Grand Sorcerer
Posts: 27,922
Karma: 198500000
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
|
Is Apple really so petty that they would add the quarantine attribute to anything downloaded from Github?!
|
Advert | |
|
08-16-2024, 07:49 PM | #18 | |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
Quote:
Only using curl to move the file results in a download that does not have com.apple.quarantine set. I tried recursively trying to use xattr -d but they add it to every single file, symbolic link, directory, socket, special character block, etc. It is a real pisser to remove. Your only real chance to remove it is *before* trying to unpack the archive. This really stinks. Why does it matter that you downloaded an archive or app from github (or anyplace) as long as the application itself inside the archive is fully signed and notarized? Apple is truly becoming a real bastard using Fear, Uncertainty, and Doubt (FUD) to drive developers to its Mac App store. |
|
08-16-2024, 08:34 PM | #19 |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
I have been reading up on this, and Apple's GateKeeper (which is what com.apple.quarantine turns on) now requires that there be no "dangling rpaths" in any place in your app but that means when macdeployqt moves the Qt frameworks in it can not just add new rpaths, it must remove the old rpaths otherwise they are considered "dangling".
Worse yet that must be true for every executable and every shared library in your app. This is going to take lots of work to check for dangling rpaths as neither their signing process or notarization checks for that. ARRRRGGGGGGGHHHHHHH! |
08-16-2024, 08:42 PM | #20 |
Grand Sorcerer
Posts: 27,922
Karma: 198500000
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
|
I'm finding lots of horror stories about successfully signed/notarized apps that fail (in this exact same manner) when downloading a zipped version of said "successfully" notarized apps.
But I'm also seeing stuff that indicates that distributing signed/notarized apps by zipping them up and uploading them somewhere should be possible. You might get an "unknown sources" warning, but then it should say that no malware was detected and ask if you still want to install it. The stapled notarization might not be the notarization that's used. I'm seeing that as long as there's a network connection, the notarization may come from Apple servers. Is it possible there could be a delay between a successful notarization and that notarization being available on Apple servers. A quick test might be to disconnect your machine from the Internet and see if that forces the stapled notarization to be used. I'm just throwing stuff out there, by the way. Most of my knowledge of these things is what I've gleaned from you! |
Advert | |
|
08-16-2024, 08:51 PM | #21 |
Grand Sorcerer
Posts: 27,922
Karma: 198500000
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
|
Which begs the question: why on earth would Apple return a successful notarization ticket on an app that can't possibly get past its own GateKeeper after downloading. Surely the notarization process should be where this sort of thing is caught?!
|
08-16-2024, 10:11 PM | #22 |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
I have no idea but after my first shot at searching for "dangling rpaths" in Sigil.app on macOS, I seem to have found them and all inside the embedded Python.framework inside site-packages:
Code:
./Sigil.app/Contents/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/PIL/.dylibs/libjpeg.62.4.0.dylib Load command 13 cmd LC_RPATH cmdsize 32 path /usr/local/lib (offset 12) ./Sigil.app/Contents/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/PySide6/lupdate Load command 22 cmd LC_RPATH cmdsize 32 path @loader_path/../lib (offset 12) Load command 23 cmd LC_RPATH cmdsize 32 path @loader_path (offset 12) Load command 24 cmd LC_RPATH cmdsize 40 path /Users/kbhend/Qt672/lib (offset 12) ./Sigil.app/Contents/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/PySide6/lrelease Load command 20 cmd LC_RPATH cmdsize 32 path @loader_path/../lib (offset 12) Load command 21 cmd LC_RPATH cmdsize 32 path @loader_path (offset 12) Load command 22 cmd LC_RPATH cmdsize 40 path /Users/kbhend/Qt672/lib (offset 12) ./Sigil.app/Contents/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/PySide6/Qt/libexec/rcc Load command 20 cmd LC_RPATH cmdsize 32 path @loader_path/../lib (offset 12) Load command 21 cmd LC_RPATH cmdsize 32 path @loader_path (offset 12) Load command 22 cmd LC_RPATH cmdsize 40 path /Users/kbhend/Qt672/lib (offset 12) ./Sigil.app/Contents/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/PySide6/Qt/libexec/uic Load command 20 cmd LC_RPATH cmdsize 32 path @loader_path/../lib (offset 12) Load command 21 cmd LC_RPATH cmdsize 32 path @loader_path (offset 12) Load command 22 cmd LC_RPATH cmdsize 40 path /Users/kbhend/Qt672/lib (offset 12) And the PySide6 package has hard coded rpaths to the Qt libs for every one of their executables: lrelase, lupdate, rcc, and uic. None of our code is incorrect. Just those python site packages installed by pip3. So I am going to have to manually remove each and every one of these rpaths using otool and then hope we have no more. Last edited by KevinH; 08-16-2024 at 10:16 PM. |
08-16-2024, 10:33 PM | #23 |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
And of course the PIL libjpeg one is signed! And removing the rpath will break the signing.
So this will probably need to be fixed by PIL people who make the pip3 packages. |
08-16-2024, 10:41 PM | #24 |
Grand Sorcerer
Posts: 27,922
Karma: 198500000
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
|
You could cheat with PySide6 and just filter out those executables (or the whole libexec folder in PySide6) when gathering the Python pieces for your app. Will a plugin ever conceivably need to use the lrelease, lupdate, rcc, and uic executables? They won't on Windows! Because I don't deliver any of the pyside exes installed to my Python Scripts directory. I can't seem to find a libjpeg package/exe that gets installed into my Windows Python with the Pillow Module.
Last edited by DiapDealer; 08-16-2024 at 10:43 PM. |
08-16-2024, 11:13 PM | #25 |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
Okay, I manually removed all of those "dangling" rpaths manually using the install_name_tool and then rebuilt Sigil then signed and notarized it.
Then created a tar.xz from it and uploaded it to my BuildSigilOnMac github repo. I then downloaded it from there, checked to verify that the com.apple.quarantine extended attribute was set. Unpacked it and then double-clicked to run Sigil.app and this time got a different Warning Message saying that this was downloaded from the internet, and asked if a I was sure I wanted to run it. It went on to say that Apple has checked the software for malware (malicious behavior) and none was found. So I think that is the best we are gonna get. So the problem was the dangling rpaths made GateKeeper barf even though Sigil.app was fully code-signed and fully notarized. So we may have a way forward without having to use curl or xattr -d. What a pain in the ass they are making this. They call it security but allow our embedded Python to run any code as long as it uses pure .py files which could really do something nasty but that doesn't matter because we would not want "dangling" rpaths would we .... So insanely stupid. I am too tired to fight with this anymore tonight. I will try to build new tar.xz packages for both PageEdit and Sigil for both x86_64 and arm64 tomorrow and use them to replace the builds that are there now. That will of course require another full dangling rpath hunt on the arm64 side since the problems will exist there as well and could impact different files given the python site-packages are different. Last edited by KevinH; 08-17-2024 at 01:29 PM. |
08-16-2024, 11:18 PM | #26 | |
just an egg
Posts: 1,656
Karma: 5432100
Join Date: Mar 2015
Device: Kindle, iOS
|
Not sure if you still need this info, but I can confirm that both A and B methods below work on my Mac Sonoma 14.6.1.
Sigil opens with no warning or pop-up message or anything. It just opens, voilà Quote:
Last edited by odamizu; 08-16-2024 at 11:30 PM. |
|
08-16-2024, 11:59 PM | #27 | |
just an egg
Posts: 1,656
Karma: 5432100
Join Date: Mar 2015
Device: Kindle, iOS
|
Quote:
Thank you for going to all this effort to release Sigil versions for Mac. |
|
08-17-2024, 09:55 AM | #28 |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
Thank you! Knowing that helps me understand what is happening and provides a fallback in case similar problems arise.
|
08-17-2024, 09:57 AM | #29 | |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
Quote:
I hope to have new versions of Sigil for mac out today. As it turns out PageEdit does not have the same problem as it had no python in it. |
|
08-17-2024, 12:58 PM | #30 |
Sigil Developer
Posts: 8,102
Karma: 5450184
Join Date: Nov 2009
Device: many
|
@odamizu,
We updated this release to include a hopefully fixed, Sigil.app-2.3.0-1-Mac-arm64.txz and fixed Sigil.app-2.3.0-1-Mac_x86_64.txz. When you get a free moment, please try normally downloading it, unpack it, and try the resulting Sigil.app to make sure it is working just like other downloads. Do not use curl nor xattr for this test, just an everyday browser download. Thanks! Last edited by KevinH; 08-17-2024 at 01:27 PM. |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Sigil-1.5.1 Released | DiapDealer | Sigil | 27 | 04-15-2021 10:27 AM |
Sigil-1.2.0 Released | DiapDealer | Sigil | 77 | 07-16-2020 12:55 PM |
Sigil-0.9.7 Released | DiapDealer | Sigil | 90 | 11-10-2016 01:30 PM |
Sigil-0.9.6 Released | DiapDealer | Sigil | 69 | 10-29-2016 10:35 AM |
Sigil-0.8.900 released for testing - Wait for Sigil-0.8.901 | KevinH | Sigil | 106 | 10-04-2015 10:41 AM |