Levure Codesigning

Collaborate on tools, libraries, and applications beyond the IDE

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

Locked
martyknapp
Posts: 52
Joined: Fri Mar 24, 2006 5:33 pm
Location: Blaine, Washington - USA

Levure Codesigning

Post by martyknapp » Thu Feb 04, 2021 12:35 am

I've been building, codesigning and notarizing a Levure-based app for quite a while now. I use AppWrapper to codesign and notarize. I'm running Mojave and X-code 10.1. Using LC 9.6.1 and all is fine. With the release of LC 9.6.2 rc2 I tried a build and have run into an issue. After a build but before I codesign the app will open and run fine. After I codesign with AppWrapper it crashes on startup. The crashlog in Console states "Service exited with abnormal code: 255”

So I created a basic test app in LC 9.6.2 and built a standalone (not using Levure). I can notarize that with AppWrapper and it opens and runs fine. Anybody else seeing this?

trevordevore
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 1005
Joined: Sat Apr 08, 2006 3:06 pm
Location: Overland Park, Kansas
Contact:

Re: Levure Codesigning

Post by trevordevore » Thu Feb 04, 2021 6:02 am

I tried building an app with 9.6.2 rc2 the other day and there was an issue accessing https urls. I haven't investigated further yet, but I am going to check to see if it has something to do with revsecurity.dylib. In my case though, the app was notarized without any problems. I use the code-signing and notarization process that is built into Levure though.
Trevor DeVore
ScreenSteps - https://www.screensteps.com

LiveCode Repos - https://github.com/search?q=user%3Atrevordevore+topic:livecode
LiveCode Builder Repos - https://github.com/search?q=user%3Atrevordevore+topic:livecode-builder

martyknapp
Posts: 52
Joined: Fri Mar 24, 2006 5:33 pm
Location: Blaine, Washington - USA

Re: Levure Codesigning

Post by martyknapp » Thu Feb 04, 2021 7:18 pm

I just implemented the codesigning feature in Levure (so skipping the use of AppWrapper) and when I build with LC 9.6.2 it crashes on startup. Again the crashlog in Console states "Service exited with abnormal code: 255" If I build with LC 9.6.1 it opens fine. I didn't do the notarizing step in either case. So seems there's something specific to 9.6.2.

The inclusions I have are as follows (some of which I only guessed at needing since I couldn't find them described anywhere):
Color Swatch
HTTPD Library
DataGrid
Internet
Printing
Revolution Zip
Print Dialogs
Cursors
PDF Printer
Answer Dialog
Ask Dialog
tsNet

martyknapp
Posts: 52
Joined: Fri Mar 24, 2006 5:33 pm
Location: Blaine, Washington - USA

Re: Levure Codesigning

Post by martyknapp » Thu Feb 04, 2021 7:57 pm

I've narrowed this down to the "Revolution Zip" library. I created a test stack with no code in it and set the Inclusions to match my project. I built in 9.6.2 using the LC standalone builder (not Levure). I then codesigned with AppWrapper. It failed on startup. Then one by one I deleted the inclusions until it would run. I then double-checked by putting everything back in except the Revolution Zip library, so the issue seems to be with that.

I just filed a bug report on this - 23083

martyknapp
Posts: 52
Joined: Fri Mar 24, 2006 5:33 pm
Location: Blaine, Washington - USA

Re: Levure Codesigning

Post by martyknapp » Sat Feb 06, 2021 10:20 pm

After much hair pulling and some help from Matthias I seem to have this solved. It appears that starting with LC 9.6.2 “entitlements” are needed even for web deployment (at least in the case of including revzip).

So for anyone else who runs into this, you can use the same entitlements that Livecode uses saved into “my app name.entitlements” file and then configured the app.yml file and setup described in the Levure packager info:
https://github.com/trevordevore/levure/wiki/packager

Here's what you need in your “my app name.entitlements” file:
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.personal-information.location</key>
<true/>
<key>com.apple.security.personal-information.addressbook</key>
<true/>
<key>com.apple.security.personal-information.photos-library</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
</dict>

Marty

martyknapp
Posts: 52
Joined: Fri Mar 24, 2006 5:33 pm
Location: Blaine, Washington - USA

Re: Levure Codesigning

Post by martyknapp » Wed Feb 10, 2021 8:53 pm

I'm having more codesign issues. I just built a new version of my app with LC 9.6.2 rc2. I used the codesigning feature of Levure, though I've had to add the "--deep" parameter so that it properly signs revpdfprinter.bundle (otherwise printing to PDF fails). The app is in a DMG and is notarize, which is all successful. I can then download from my server, install and run the app on both Mojave and Big Sur. But when I use the update feature to update a previous version it seems to work on Big Sur, but not on Mojave - there I get an error:

An error occurred while extracting the archive. Please try again later.
Error code: 3001
Reason: The update is improperly signed.

So I re-code signed using AppWrapper and get the same error.

Marty

martyknapp
Posts: 52
Joined: Fri Mar 24, 2006 5:33 pm
Location: Blaine, Washington - USA

Re: Levure Codesigning

Post by martyknapp » Wed Feb 10, 2021 9:53 pm

To further muddy the waters, I just tried another Mac running Mojave it it worked fine on that one. Rebooted the first Mac and still get the error consistently. Of course that one is my main development machine!

I checked the log in Console and this is what I find:
"The update archive isn't signed with an EdDSA key, and the app is signed with a new Code Signing identity that doesn't match code signing of the original app: (null). At least one method of signature verification must be valid. The update will be rejected."

Marty

jacque
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 7214
Joined: Sat Apr 08, 2006 8:31 pm
Location: Minneapolis MN
Contact:

Re: Levure Codesigning

Post by jacque » Thu Feb 11, 2021 7:14 pm

I get the same kind of error on Android if I try to update an app that was signed "for development" with an update that was signed with my developer key. It sounds like you're getting something similar. The update has to use the same type of signature as the original.

On Android the fix is to delete the original app and then install the update. If your second Mac has never seen the original version then it sounds like a similar problem.
Jacqueline Landman Gay | jacque at hyperactivesw dot com
HyperActive Software | http://www.hyperactivesw.com

martyknapp
Posts: 52
Joined: Fri Mar 24, 2006 5:33 pm
Location: Blaine, Washington - USA

Re: Levure Codesigning

Post by martyknapp » Fri Feb 12, 2021 12:47 am

Thanks Jacque, I think that was it!

Locked

Return to “Community Projects”