Comments (28)
You are right helper requires root privileges and so the only way an
application can install them is if they are signed by a trustee Apple
developer id, which I bought just to be able to write this feature...
On Wed 26 Aug 2015 at 02:45 Zach Lym [email protected] wrote:
Since this requires root privileges, it would be ideal if you could sign
the DMG. If you have an Apple developer ID, it would be nice if you could
sign the binary as well.—
Reply to this email directly or view it on GitHub
#34.
from yubiswitch.
Only 0.9 is signed though
from yubiswitch.
OS X doesn't think so:
But then there is this:
$ codesign -dv /Applications/yubiswitch.app
Executable=/Applications/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=428 flags=0x0(none) hashes=14+3 location=embedded
Signature size=4313
Signed Time=Aug 18, 2015, 2:09:08 AM
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=21
Internal requirements count=1 size=184
And signing the DMG with your GPG signature is the only way I can be sure you published it and not some other rando person who gave Apple $100 : )
from yubiswitch.
weird, this is how I've configured my Xcode project (I'm pretty n00b with Xcode, this is my first Objective-C project :P):
from yubiswitch.
from yubiswitch.
TeamIdentifier=T8ZNNBVE9Z
that is my Developer ID AFAIK
from yubiswitch.
$ codesign -dvvv /Applications/yubiswitch.app
Executable=/Applications/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=428 flags=0x0(none) hashes=14+3 location=embedded
Hash type=sha1 size=20
CDHash=6f506f4f8bb1473545e567292fd32c14d8fe67e5
Signature size=4313
Authority=Mac Developer: Angelo Failla (22Y3UXV6J8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 26, 2015, 10:52:48 AM
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=21
Internal requirements count=1 size=184
from yubiswitch.
@pallotron I'm afraid this is the blind leading the blind, I've never done any OS X development : P
from yubiswitch.
@indolering : can you try downloading http://blog.angelofailla.com/download/yubiswitch_0.9.dmg and let me know if it still bitches about the signature?
thanks!
from yubiswitch.
(it turns out I have also to sign the .dmg
file :D)
from yubiswitch.
this should be fixed. reopen if needed.
from yubiswitch.
Should 0.10 & 0.11 also be signed, or is the plan to fully sign for > 0.11?
from yubiswitch.
They are both signed and all versions will be from now on
On Sun 30 Aug 2015 at 00:57 Jacob Helwig [email protected] wrote:
Should 0.10 & 0.11 also be signed, or is the plan to fully sign for > 0.11?
—
Reply to this email directly or view it on GitHub
#34 (comment)
.
from yubiswitch.
That doesn't appear to be the case with at least 0.11. Downloaded it yesterday, and had to adjust the security settings to allow launching apps from anywhere to get it to run. Just re-downloaded it to confirm.
from yubiswitch.
that's weird, I had a friend trying it and it worked.
Can you run codesign -dvvv /Applications/yubiswitch.app/
please?
Also run codesign -dvvv
on the dmg file and report back in this task
from yubiswitch.
oh damn it I hate Xcode:
$ codesign -dvvv ~/Downloads/yubiswitch_0.11.dmg
/Users/pallotron/Downloads/yubiswitch_0.11.dmg: code object is not signed at all
Uploading a new signed dmg.
from yubiswitch.
I've uploaded new files, please try now...
from yubiswitch.
I think it should be fine now:
[email protected]:/tmp/test
$ wget https://github.com/pallotron/yubiswitch/releases/download/v0.12/yubiswitch_0.12.dmg
--2015-08-30 19:07:12-- https://github.com/pallotron/yubiswitch/releases/download/v0.12/yubiswitch_0.12.dmg
Resolving github.com... 192.30.252.130
Connecting to github.com|192.30.252.130|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/github-cloud/releases/12984615/e97d4e0c-4f49-11e5-9117-71ccc9b60c54.dmg?response-content-disposition=attachment%3B%20filename%3Dyubiswitch_0.12.dmg&response-content-type=application/octet-stream&AWSAccessKeyId=AKIAISTNZFOVBIJMK3TQ&Expires=1440961632&Signature=hScQKLterQRhSxdfBVujEsg5ePM%3D [following]
--2015-08-30 19:07:13-- https://s3.amazonaws.com/github-cloud/releases/12984615/e97d4e0c-4f49-11e5-9117-71ccc9b60c54.dmg?response-content-disposition=attachment%3B%20filename%3Dyubiswitch_0.12.dmg&response-content-type=application/octet-stream&AWSAccessKeyId=AKIAISTNZFOVBIJMK3TQ&Expires=1440961632&Signature=hScQKLterQRhSxdfBVujEsg5ePM%3D
Resolving s3.amazonaws.com... 54.231.11.0
Connecting to s3.amazonaws.com|54.231.11.0|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1401226 (1.3M) [application/octet-stream]
Saving to: 'yubiswitch_0.12.dmg'
yubiswitch_0.12.dmg 100%[==================================================================================================================>] 1.34M 1.17MB/s in 1.1s
2015-08-30 19:07:15 (1.17 MB/s) - 'yubiswitch_0.12.dmg' saved [1401226/1401226]
[Exit code 0 @ 19:07:15]
[email protected]:/tmp/test
$ hdiutil attach yubiswitch_0.12.dmg
Checksumming Driver Descriptor Map (DDM : 0)…
Driver Descriptor Map (DDM : 0): verified CRC32 $AD489E44
Checksumming Apple (Apple_partition_map : 1)…
..
Apple (Apple_partition_map : 1): verified CRC32 $C5E591DC
Checksumming disk image (Apple_HFS : 2)…
..........................................................................................................................................................................................................
disk image (Apple_HFS : 2): verified CRC32 $AF0D3692
Checksumming (Apple_Free : 3)…
(Apple_Free : 3): verified CRC32 $00000000
verified CRC32 $D14FA073
/dev/disk5 Apple_partition_scheme
/dev/disk5s1 Apple_partition_map
/dev/disk5s2 Apple_HFS /Volumes/yubiswitch
[Exit code 0 @ 19:07:29]
[email protected]:/tmp/test
$ codesign -dvvv /Volumes/yubiswitch/yubiswitch.app/
Executable=/Volumes/yubiswitch/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=448 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha1 size=20
CDHash=590915aad550d130aebadb90e1d664b229358139
Signature size=4313
Authority=Mac Developer: Angelo Failla (22Y3UXV6J8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 30, 2015, 7:02:42 PM
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=18
Internal requirements count=2 size=576
[Exit code 0 @ 19:07:35]
from yubiswitch.
I just re-downloaded 0.9 - 0.12, and it appears that none of the DMGs are signed?
% codesign -dvvv ~/Downloads/yubiswitch_0.9.dmg
/Users/jacobhelwig/Downloads/yubiswitch_0.9.dmg: code object is not signed at all
1 % codesign -dvvv ~/Downloads/yubiswitch_0.10.dmg
/Users/jacobhelwig/Downloads/yubiswitch_0.10.dmg: code object is not signed at all
1 % codesign -dvvv ~/Downloads/yubiswitch_0.11.dmg
/Users/jacobhelwig/Downloads/yubiswitch_0.11.dmg: code object is not signed at all
1 % codesign -dvvv ~/Downloads/yubiswitch_0.12.dmg
/Users/jacobhelwig/Downloads/yubiswitch_0.12.dmg: code object is not signed at all
I get the same results for codesign
when checking yubiswitch.app
after extracting it from the 0.12 DMG, but it won't open without adjusting the security settings.
Wondering if we running into CDN propagation issues?
from yubiswitch.
No, I think it's just a case of dmg signature getting lost at download. code signature is a flag that gets assigned to extended attributes in the filesystem... that get lost when you upload to the internet. Only the .app inside the dmg should be signed. you always get a notification the first time you download anything, what are you security settings?
See http://stackoverflow.com/questions/23951105/os-x-dmg-signature-lost-after-download
from yubiswitch.
is the .app inside the dmg at least signed?
from yubiswitch.
In general, you don't sign the disk image itself; you sign the files inside it. After the image is downloaded, the signature on the individual items will be checked as they are used.
While you can sign the disk image itself (with codesign -s "Developer ID Application: [your company]" example.dmg), the signature this creates is stored in the form of extended attributes attached to the image file. Actually, it creates three xattrs, named com.apple.cs.CodeDirectory, com.apple.cs.CodeRequirements, and com.apple.cs.CodeSignature. The critical thing to realize is that these attributes are filesystem metadata -- that is, they're attached to the file, not part of the file's contents. The HTTP protocol has very limited support for filesystem metadata, so when you upload or download via HTTP (or FTP or...), it only transfers the file's contents, and the xattrs are lost.
You can see the xattrs with the ls -l@ command (and in even more detail with the xattr command):
$ ls -l@ example.dmg
-rw-r--r--@ 1 gordon staff 338590 Nov 13 2013 example.dmg
com.apple.cs.CodeDirectory 120
com.apple.cs.CodeRequirements 172
com.apple.cs.CodeSignature 8515
com.apple.diskimages.fsck 20
com.apple.diskimages.recentcksum 81
After downloading, the image will have lost those attributes (and probably gained com.apple.quarantine and com.apple.metadata:kMDItemWhereFroms from the download process), and hence will not be considered signed. The files contained in it, on the other hand, should still be properly signed (since their signatures are part of the image file's contents.)
from yubiswitch.
% codesign -dvvv /Applications/yubiswitch.app
Executable=/Applications/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=448 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha1 size=20
CDHash=590915aad550d130aebadb90e1d664b229358139
Signature size=4313
Authority=Mac Developer: Angelo Failla (22Y3UXV6J8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 30, 2015, 11:02:42
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=18
Internal requirements count=2 size=576
If I switch to allow from anywhere, open the app, then switch back to only App Store & identified developers, then I never get the cannot open dialog again for yubiswitch until I upgrade to a new version.
from yubiswitch.
I honestly don't know, the application is signed how you can see from your last command :(
from yubiswitch.
there is one more thing I can try, which is signing using Developer ID and not "Mac App store"
from yubiswitch.
Hey @jhelwig can you try downloading http://blog.angelofailla.com/download/yubiswitch_0.12.dmg and let me know if you still have the issue?
from yubiswitch.
That one worked.
% codesign -dvvv /Applications/yubiswitch.app
Executable=/Applications/yubiswitch.app/Contents/MacOS/yubiswitch
Identifier=com.pallotron.yubiswitch
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=448 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha1 size=20
CDHash=bd8d25476cf17c7ea9de1af93a1e3e12af7b9c37
Signature size=8525
Authority=Developer ID Application: Angelo Failla (T8ZNNBVE9Z)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Aug 30, 2015, 13:12:42
Info.plist entries=27
TeamIdentifier=T8ZNNBVE9Z
Sealed Resources version=2 rules=12 files=18
Internal requirements count=2 size=608
Did prompt about the helper, but was able to get past the security check with it still set to "Mac App Store and identified developers".
from yubiswitch.
Ok so the trick was to sign as "Developer ID" instead of "Mac App Store"
from yubiswitch.
Related Issues (20)
- evgtlindvjiublvjfeiikdhkhgcteeugrivh
- inadvertently opened issue - ignore
- "Automatically switch off Yubikey" turns on Yubikey after lockscreen HOT 2
- ccccccvkvhhejrinvubnvdlnbthrrtvuvgcvffnthtgf HOT 2
- Release new binaries for Apple Silicon HOT 13
- Feature Request: Allow multiple productID/vendorID pairs HOT 1
- Support for Yubikey 5C HOT 1
- menu bar icon is always black, hard to see on dark backgrounds HOT 1
- eieecchrvjhbgbgnjftcbkefbcghkttelnelincbkjbk HOT 4
- Global hotkey doesn't respect different keyboard layouts, only QWERTY HOT 2
- App is not notarized HOT 4
- YubiSwitch not disabling Yubikey nano on macOS 12.6 HOT 7
- yubikey is not disabled automatically HOT 7
- Doesn't work for my yubico on MacOS Monterrey HOT 11
- "Input Monitoring" permission required HOT 7
- XPC error: Connection invalid HOT 1
- [MISTAKE]
- Sonoma Bug: Enabled Yubiswitch menubar icon is 10x size HOT 7
- ProductID and VendorId are read only. Unable to update them
- Dialog on every startup “yubiswitch is trying to install a new helper tool.” HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubiswitch.