packages icon indicating copy to clipboard operation
packages copied to clipboard
verified publisher icon packagesdev

Signature created by Packages not compatible with stapler

Open Zenju opened this issue 7 years ago • 6 comments

Packages is awesome and this is the first real problem I've encountered so far:

As of late "app notarization" is expected and this can be done via command line, so far so good: xcrun altool --notarize-app <etc> -f <path to .pkg>

Then the ticket created above should be attached to the pkg via: xcrun stapler staple -v <path to .pkg>

This step fails:

Properties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Installer package"; NSURLTypeIdentifierKey = "com.apple.installer-package-archive"; "_NSURLIsApplicationKey" = 0; } Sig Type is RSA. Length is 3 Could not find an appropriate "code signature" in the test.pkg installer package. Cannot download ticket. CDHash must be set.

The above failure is surprising, since the .pkg file definitively has a valid signature attached as can be checked with: pkgutil --check-signature But, it seems it is not "of the right type"...

I've found that when I manually sign the .pkg again with productsign productsign --sign <etc> and notarize the .pkg again, then stapler completes with success:

Properties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Installer package"; NSURLTypeIdentifierKey = "com.apple.installer-package-archive"; "_NSURLIsApplicationKey" = 0; } Sig Type is RSA. Length is 3 Sig Type is CMS. Length is 3 Package test.pkg uses a checksum of size 20 JSON Data is { records = ( <etc., lots of more details>

Note the "Sig Type is CMS" in the success case that was absent when Packages had signed the installer. This could be a clue regarding what Packages does differently than productsign.

Zenju avatar Oct 21 '18 11:10 Zenju

Thanks for reporting this.

It looks like productsign is indeed adding an extended CMS signature to the package/distribution xar.

packagesdev avatar Oct 23 '18 23:10 packagesdev

Extended CMS signature should be added to version 1.2.5.

packagesdev avatar Oct 25 '18 21:10 packagesdev

Hi Guys,

I'm getting the same issue on 1.2.7, is there anything special I have to do?

Cheers

Andy

Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Installer package";
    NSURLTypeIdentifierKey = "com.apple.installer-package-archive";
    "_NSURLIsApplicationKey" = 0;
}
Could not find an appropriate "code signature" in the CADWrapperServer.pkg installer package.
Cannot download ticket. CDHash must be set.

AndrewCapon avatar Oct 28 '19 08:10 AndrewCapon

Actually it is not signed at all!

pkgutil --check-signature /Development/CADPluginWrapper/Installer/CADWrapperServer/build/CADWrapperServer.pkg

Package "CADWrapperServer.pkg":
   Status: no signature

Under Settings->Building I have by Developer ID cert that I use to sign everything else.

Any ideas?

AndrewCapon avatar Oct 28 '19 08:10 AndrewCapon

Signing it myself with same Developer cert then works, so it looks like Packages is just not signing it.

AndrewCapon avatar Oct 28 '19 08:10 AndrewCapon

My usage: I use Packages.app built-in signing feature, but I sign & notarize whole dmg file by myself (which contain installer *.pkg). But Packages.app (1.2.9) signing feature IMHO works as expected, my *.pkg installer is signed correctly (checked by pkgutil --check-signature *.pkg).

Is this issue still valid?

ferben avatar Nov 27 '20 11:11 ferben