[Vm-dev] MacOS Code Signing bundle parts

Fabio Niephaus lists at fniephaus.com
Fri Apr 19 09:28:44 UTC 2019

I don't think we have any scripts for the macOS VMs. Squeak All-in-ones for
example come with a launcher script for Windows and Linux. So I'm not too
concerned about our macOS code signatures. I'm more concerned about the
notarization process [1] which I believe will be mandatory at some point.



On Fri, Apr 19, 2019 at 3:07 AM Ben Coman <btc at openinworld.com> wrote:

> I just bumped into the following article...
> https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-TNTAG201
> and the section "Ensuring Proper Code Signatures for Nested Code"
> made me remember some reports of corrupted signatures when installing
> Pharo/Squeak.
> Particularly interesting were...
> * "Starting in macOS 10.9, the code signing tool records nested code."
> * "Store ...shell... script files and other non-Mach-O executables in
> your app's Contents/Resources directory. While it's possible to sign
> such executables and store them in Contents/MacOS, this is not
> recommended. This is because code signing uses extended attributes to
> store signatures in non-Mach-O executables such as script files. If
> the extended attributes are lost, the program's signature will be
> broken. Many file transfer techniques do not preserve extended
> attributes, nor are they preserved when uploading to the Mac App
> Store."
> I'm not familiar with the bundle arrangement and don't have a Mac
> running to check this,
> so pinging those more intimate with the MacOS bundle to advise whether
> the article may impacts us.
> cheers -ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/vm-dev/attachments/20190419/22dcf803/attachment.html>

More information about the Vm-dev mailing list