Attempting to codesign a MacOS app corrupts the app
See original GitHub issueDescription
I’m trying to publish a command line MacOS application built with .NET. I’ve read many of the issues related to this, but none seems to precisely cover my case (at least not in a way that I understand). I did gather that it doesn’t work in .NET 5 so I’ve updated to .NET 6. In order to get it past gatekeeper, I need to sign, notarize, staple, bend, fold, spindle, etc.
I can’t seem to get past the first step. If I use codesign
to sign the app, the app is then corrupted and won’t run.
$ codesign --timestamp -o runtime --force --verify --verbose --sign MYIDHERE SaxonCS
SaxonCS: replacing existing signature
SaxonCS: signed Mach-O thin (x86_64) [SaxonCS]
$ ./SaxonCS
Failed to load /private/tmp/app/libcoreclr.dylib, error: dlopen(/private/tmp/app/libcoreclr.dylib, 0x0001): tried: '/private/tmp/app/libcoreclr.dylib' (code signature in <3ACEB6DA-5249-3A77-A23B-BB471A3797C8> '/private/tmp/app/libcoreclr.dylib' not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.), '/usr/lib/libcoreclr.dylib' (no such file)
[1] 56791 segmentation fault ./SaxonCS
I’m slightly confused by the “replacing existing signature” message. I haven’t configured .NET to do signing automatically, at least not on purpose, and if it is signing automatically, I don’t see how it could be using the right key ID.
On a possibly related note, I’m surprised by the build artifacts that dotnet publish
produces. I’m running
dotnet publish SaxonCS.sln --configuration Release -r osx-x64 \
--self-contained true -p:PublishSingleFile=true \
-p:PublishReadyToRun=true -p:UseAppHost=true \
-p:Version=11.2.0 -p:PackageVersion=11.2.0
But I’m not getting a “single file”:
$ ls -lA build/cs/bin/Release/net5.0/osx-x64/publish/
.rwxr--r-- 1 2.6M ndw 15 Feb 16:55 libclrjit.dylib
.rwxr--r-- 1 6.9M ndw 15 Feb 17:00 libcoreclr.dylib
.rwxr--r-- 1 962k ndw 15 Feb 16:48 libSystem.IO.Compression.Native.dylib
.rwxr--r-- 1 87k ndw 15 Feb 16:48 libSystem.Native.dylib
.rwxr--r-- 1 36k ndw 15 Feb 16:48 libSystem.Net.Security.Native.dylib
.rwxr--r-- 1 68k ndw 15 Feb 16:48 libSystem.Security.Cryptography.Native.Apple.dylib
.rwxr--r-- 1 172k ndw 15 Feb 16:48 libSystem.Security.Cryptography.Native.OpenSsl.dylib
.rwxr-xr-x 1 105M ndw 11 Mar 14:40 SaxonCS
.rw-r--r-- 1 1.9M ndw 11 Mar 14:40 SaxonCS.pdb
.rw-r--r-- 1 736k ndw 11 Mar 14:40 SaxonCS.xml
(If I don’t use the single file option, I get dozens and dozens of files, so it’s certainly closer to single file!)
On other occasions, with slightly different publish commands, I get more or less further along. Sometimes I can sign the SaxonCS file and it runs, but complains the other dylib files aren’t signed. If I sign them, things crash differently.
I fully expect this is user error, but I cannot find any explanation of either what I should be doing or what I might be doing wrong.
Configuration
$ /usr/local/share/dotnet/dotnet --info
.NET SDK (reflecting any global.json):
Version: 6.0.201
Commit: ef40e6aa06
Runtime Environment:
OS Name: Mac OS X
OS Version: 12.2
OS Platform: Darwin
RID: osx.12-x64
Base Path: /usr/local/share/dotnet/sdk/6.0.201/
Host (useful for support):
Version: 6.0.3
Commit: c24d9a9c91
.NET SDKs installed:
6.0.201 [/usr/local/share/dotnet/sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 6.0.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 6.0.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
To install additional .NET runtimes or SDKs:
https://aka.ms/dotnet-download
Other information
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:19 (6 by maintainers)
Top GitHub Comments
Thank you @devon94. I believe I finally wrestled the whole process to the ground. Breadcrumbs for the next traveler: https://dev.saxonica.com/blog/norm/2022/12/21-net6.html
I’m returning to this task much later than I anticipated. I’d like to try the plist solution proposed, but I’m unclear on where this plist should be placed and what it should be called…
I think I figured this out: it’s passed to
codesign
with--entitlements
. Apologies for the noise.