Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 565506

Summary: Notarization fails in I-build
Product: [Eclipse Project] Platform Reporter: Lakshmi P Shanmugam <lshanmug>
Component: RelengAssignee: Platform-Releng-Inbox <platform-releng-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: guillez, mvid
Version: 4.17   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X   
Whiteboard:
Bug Depends on:    
Bug Blocks: 549585    

Description Lakshmi P Shanmugam CLA 2020-07-24 01:23:12 EDT 
The Eclipse build [1] fails during notarization of the Eclipse SDK with this
> error:
> 
> path\":
> \"eclipse-SDK-I20200723-1030-macosx-cocoa-x86_64-8555742938851320738.dmg/
> Eclipse.app/Contents/Eclipse/plugins/org.eclipse.swt.browser.chromium.cocoa.
> macosx.x86_64_3.115.0.v20200723-1410.jar/chromium-3071/chromium_subp-4936r10.
> app/Contents/MacOS/chromium_subp\",\n      \"message\": \"The signature of
> the binary is invalid.\
> 
> I also manually checked the signature of MacOS/chromium_subp in the binaries
> repo on mac using 
> codesign -v chromium_subp
> I get this error: chromium_subp: code has no resources but signature
> indicates they must be present

[1] - https://ci.eclipse.org/releng/job/I-build-4.17/99/console
Comment 1 Lakshmi P Shanmugam CLA 2020-07-24 01:26:09 EDT 
Temporarliy disabled the notarization in Build id: I20200723-1800

https://git.eclipse.org/r/c/platform/eclipse.platform.releng.aggregator/+/166740
Comment 2 Lakshmi P Shanmugam CLA 2020-07-24 01:38:33 EDT 
(In reply to Lakshmi Shanmugam from comment #1)
> Temporarliy disabled the notarization in Build id: I20200723-1800
> 
> https://git.eclipse.org/r/c/platform/eclipse.platform.releng.aggregator/+/
> 166740

This was done so that yesterday's build completes. 

The Mac build is not notarized. Trying to open it on 10.15 will show a dialog with message: “Eclipse.app” can’t be opened because Apple cannot check it for malicious software.

To open it, go to System Preferences > Security & Privacy > Open anyway.
Comment 3 Vid Marian CLA 2020-07-24 07:16:17 EDT 
We have deal with the same issue while notarizing our product (Servoy developer). Except that our chromium framework was not signed at all (for now we are using an older version). While examining the error log from Apple we have noticed that there were also a lot of framework libraries reported as unsigned. What we have done was to extract the unsigned / invalid-signed content content, to sign using our certificate and pack back in the framework.

Here are some excerpt from our (command line) procedure we followed (I guess you already know the steps, but here they are anyway):

1. The error log can be retrieved by: 
    xcrun altool --notarization-info 160b20e0-a4fe-4b3f-b065-8f7407e4c615 --username <your-apple-account-id> --password <your-apple-app-generated-password>

That return the error log's url on Apple's website (with a detailed list of errors).

Strictly related to chromium_subp binary the erors were:

{
      "severity": "error",
      "code": null,
      "path": "servoy_osx.3563.zip/servoy_osx.3563/Servoy.app/Contents/Eclipse/plugins/org.eclipse.swt.chromium.cocoa.macosx.x86_64_0.10.2.201908130308.jar/chromium-3071/chromium_subp-0102.app/Contents/MacOS/chromium_subp",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "servoy_osx.3563.zip/servoy_osx.3563/Servoy.app/Contents/Eclipse/plugins/org.eclipse.swt.chromium.cocoa.macosx.x86_64_0.10.2.201908130308.jar/chromium-3071/chromium_subp-0102.app/Contents/MacOS/chromium_subp",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "servoy_osx.3563.zip/servoy_osx.3563/Servoy.app/Contents/Eclipse/plugins/org.eclipse.swt.chromium.cocoa.macosx.x86_64_0.10.2.201908130308.jar/chromium-3071/chromium_subp-0102.app/Contents/MacOS/chromium_subp",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },

2. Next step was to unpack the framework, sign as it needed, and repack:
mkdir tmp
cd tmp
unzip ../Servoy.app/Contents/Eclipse/plugins/org.eclipse.swt.chromium.cocoa.macosx.x86_64_0.10.2.201908130308.jar
codesign --options runtime --entitlements /Users/vidmarian/Resources/entitlements/developer_entitlements.plist --sign "Servoy B.V. (GB2G4Z3JSX)" "chromium-3071/chromium_subp-0102.app/Contents/MacOS/chromium_subp"
zip -rv ../Servoy.app/Contents/Eclipse/plugins/org.eclipse.swt.chromium.cocoa.macosx.x86_64_0.10.2.201908130308.jar *
cd ..

In your case the binary already contains an (invalid) signature so you must do first:
codesign --remove-signature ...
or use -force option when sign

If you're interested in more details just let me know
Regards
Comment 4 Lakshmi P Shanmugam CLA 2020-07-24 08:35:45 EDT 
(In reply to Vid Marian from comment #3)
Hi, thank you for the comments.

We were able to finally notarize the Eclipse.dmg with the chromium fragment. We had to sign the MacOS chromium_subp and the enclosing chromium app with entitlements to make it work.
Comment 5 Lakshmi P Shanmugam CLA 2020-07-24 08:38:01 EDT 
Mac dmg from https://download.eclipse.org/eclipse/downloads/drops4/I20200723-1800/ is notarized. 

Notarization has been enabled again via - https://git.eclipse.org/r/c/platform/eclipse.platform.releng.aggregator/+/165665