packagesdev
Error 25308 when packagesbuild version 1.2.4 tries to sign
I get this error when I connect to a remote machine using Jenkins or my own ssh session and run packagesbuild (v1.2.4). If I Remote Desktop into this same machine and run the same command from the terminal window it works. The cert ID and keychain are in the project file. This is the command: /usr/local/bin/packagesbuild -v Starry\ Night\ Pro\ Plus\ 8.pkgproj
2018-11-01 15:22:36.767 packagesbuild[1399:7418483] SecTransformSetAttribute (kSecInputIsAttributeName): The operation couldn’t be completed. (com.apple.security.transforms.error error 20 - ABORT has been sent to the transform (Error Domain=Internal CSSM error Code=-25308 "Internal error #ffff9d24 at SignTransform_block_invoke /BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-58286.70.7/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:411" UserInfo={NSDescription=Internal error #ffff9d24 at SignTransform_block_invoke /BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-58286.70.7/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:411, Originating Transform=CoreFoundationObject})) Create xar archive
============================================================================== ERROR:
Description:
Unable to sign the data (0)
Build Failed
NOTE: I have had the same issue with earlier versions of packagesbuild. Also, I unlock the keychain before running packagesbuild.
errSecInteractionNotAllowed = -25308, /* User interaction is not allowed. */
This looks like the classic case where Jenkins can not unlock the keychain unless there is a Window Server session or a user logged in. Personally, I haven't found a solution for this. I tried a lot of the solutions suggested in StackOverflow and elsewhere with no success.
Yes, I used to get that problem several years ago and the solution was to unlock the keychain before doing anything with signing. And, that has worked up until now. However this macmini is sporting High Sierra and I read somewhere that Sierra and higher may require some fiddling with "security set-key-partition-list". Just wondering if something like this is/could be handled in code here.
Hi. I wanna to ask, How to remove the notify as follow picture when I add a "Result of External Script" in Requirements & Resources, Many Thanks!
It shows "This package will run a program to determine if the software can be installed."
It can not be removed as far as I know. Even signing the package does not remove the warning.
It can not be removed as far as I know. Even signing the package does not remove the warning.
Thank you for your reply!
Is there any other way to check the driver version number? What I want to achieve is that if I have already installed a high version application, then to install a lower version application, In Destination part, the disk selection will show refuse to install.
Which driver?
By default, a lower version of a bundle app will not be installed over the version on disk.
If you want to prevent the user from being able to select a disk that contains a higher version, it's not too complex if the application is in a known location. You would need to use a JavaScript requirement (https://developer.apple.com/documentation/installerjs) with the bundleAtPath and System.compareVersions method.
Which driver?
By default, a lower version of a bundle app will not be installed over the version on disk.
If you want to prevent the user from being able to select a disk that contains a higher version, it's not too complex if the application is in a known location. You would need to use a JavaScript requirement (https://developer.apple.com/documentation/installerjs) with the bundleAtPath and System.compareVersions method.
Thanks for your reply again! I see, a JavaScript requirement can indeed do this, but there are two problems. The first one is, with this method, forbid installation prompt shows at the beginning of install rather than in the disk destination part, whether I selected it or not “Check this requirement against each volume”. The second one is, I can't successfully add an alert message, even through I have add message in the section below JavaScript. Do you have any good ideas?
By having good ideas, do you mean in general or regarding this specific issue? ;-)
First problem: It is a bug as far as I can tell. The option is not taken into account for JavaScript requirements. Will be fixed in version 1.2.7.
Second problem: This is partially related but you should at least be able to have the message title set (and you would get a (null) explanation title. This should be addressed by the fix for the first problem.
I noticed your new commit(417e035), and replaced the "JavaScript.plugin" in version 1.2.4 to test it. The checkbox of "Check this requirement against each volume" can take effect, but there is still a problem in JavaScript requirement: If I don't check the checkbox, the alert message can display normally. If I check the checkbox and add explanation, then run the package, in the "Destination Select", only show the message that "xxx can't be installed on this disk", but there is no explanation I have written. Do you know what went wrong?
It seems to me this thread got hijacked. I believe the upshot for the original issue (and it is not solved by unlocking the keychain) is that it is due to newer OSXes, perhaps Sierra and up, having added security that prevents packagesbuild from signing. In my case I work around this by removing the signing cert from my project and using productsign to sign the flat package afterward.
If using productsign solves the issue, this is a nice workaround.
I don't believe this is related to modifications in newer OSes. I faced that type of issue with OS X 10.9.5 while using productsign. And even playing with the Keychain Access option to allow/trust productsign did not solve the issue. If there's a clear explanation and a solution that works in 100% of cases for that kind of issue, I would definitely be interested in knowing it.
@Carelost It could be the same kind of bug in Installer.app that prevents the custom explanation from being displayed for some disks. Instead you get a generic and incorrect explanation that states "You can only install this software on the disk that is running OS X.".