Macos 马科斯:为什么';spctl——评估';返回';没有可用的签名';在PortJump包上,签名和公证似乎成功了吗?
[注意:如果背景信息与您无关,请跳到下面的更新] 我有一个用于Windows的开源会计软件,还有一个由Codeweavers(Wine和Crossover在后台工作)构建的Mac端口。他们是聪明、善良、乐于助人的人,但在他们的PortJump产品上没有为他们的客户提供任何文档(而且在互联网上的其他地方也找不到任何东西,尽管Codeweavers声称已经制作了上千次端口)。也许我的问题太离谱了,他们甚至无法理解我的处境。所以我为自己尝试了几个月,绝望导致我无力的尝试之间的差距越来越大 我在.zip文件中有一个.app包,如果需要,您可以在此处找到: 访问代码:MUTmlUVm 在Apple开发者门户上,我创建了一个带有证书名的分发标识 “Thomas Mielke”和应用程序id“de.easyct.easyct”的配置文件。(如果需要,我还拥有官方CA颁发的X.509软件代码签名证书。) 也许我应该做的第一件事就是签署代码,就像这个问题: 或者这根本不应该是第一步。。。我完全被整个Mac环境所疏远,总是觉得有太多的开放性问题需要马上开始黑客攻击(为什么这是一个zip而没有dmg?我必须签署多深,使用什么选项?为什么这不是一个我可以简单地在Xcode中打开并使用组织者签署的项目?) 也许有人可以引导我到一个安全的地方,在那里我可以开始感到舒适,进入快乐的尝试和错误循环。。。或者,换句话说:如果您必须维护一个PortJump包,您的方法是什么:git repo、自制软件、Xcode软件、shell脚本还是使用 这里有没有一位Mac开发者可以向我展示在MacOS上开发的美丽和力量 更新: 我现在得到了这个脚本来签署我的包:Macos 马科斯:为什么';spctl——评估';返回';没有可用的签名';在PortJump包上,签名和公证似乎成功了吗?,macos,code-signing,packaging,wine,portjump,Macos,Code Signing,Packaging,Wine,Portjump,[注意:如果背景信息与您无关,请跳到下面的更新] 我有一个用于Windows的开源会计软件,还有一个由Codeweavers(Wine和Crossover在后台工作)构建的Mac端口。他们是聪明、善良、乐于助人的人,但在他们的PortJump产品上没有为他们的客户提供任何文档(而且在互联网上的其他地方也找不到任何东西,尽管Codeweavers声称已经制作了上千次端口)。也许我的问题太离谱了,他们甚至无法理解我的处境。所以我为自己尝试了几个月,绝望导致我无力的尝试之间的差距越来越大 我在.zip
#!/bin/bash
MAC_SIGNING_IDENTITY="Developer ID Application:"
entitlements="wine32on64.entitlements"
app="$1"
product_id=
bundle_id=
SRCROOT=.
if [ ! -f $entitlements ]
then
echo "$entitlements not found. Make sure it's in your working directory."
exit 1
fi
if [ -z "$app" ]
then
echo "You must specify the absolute path to the .app"
exit 1
fi
if [ ! -d "$app" ]
then
echo "The path You specify is invalid. Please provide the absolute path to the .app"
exit 1
fi
if [[ ! "$app" = /* ]]
then
echo "The path you specified is not an absolute path. Please provide the absolue path to the .app"
exit 1
fi
if [ -z "$bundle_id" ]
then
bundle_id=`defaults read "$app/Contents/Info.plist" CFBundleIdentifier`
if [ -z "$bundle_id" ]
then
echo "Could not determine the product name from '$app'. Did you provide the absolute path to the .app?"
exit 1
fi
fi
echo "Bundle ID = \"$bundle_id\""
if [ -z "$product_id" ]
then
product_id=`ls -d "$app/Contents/SharedSupport"/* | grep -v '/X11'`
if [ ! -d "$product_id" ]
then
echo "could not determine the product id from '$app'"
exit 1
fi
product_id=`basename "$product_id"`
echo "$product_id" | LC_ALL=C egrep '^[a-zA-Z0-9_][a-zA-Z0-9_][a-zA-Z0-9_][a-zA-Z0-9_][a-zA-Z0-9_]*$' >/dev/null
if [ $? -ne 0 ]
then
echo "the product id '$product_id' is not valid"
exit 1
fi
fi
echo "Product ID = \"$product_id\""
keychain=$(security find-certificate -c "$MAC_SIGNING_IDENTITY" | grep keychain | awk 'gsub(/"/, "", $2) {print $2}')
locked=$(security show-keychain-info "$keychain" 2>&1 | grep "timeout")
if [ -z "$locked" ]
then
echo "Failed to find unlocked keychain with required certificate. Is your certificate in an unlocked keychain in your keychain search path?"
echo "Your keychain search path is:"
security list-keychain
exit 1
fi
if [ "$MAC_SIGNING_IDENTITY" != "-" ] ; then
# Figure out the Organizational Unit (OU) from the signing identity
ou=$(
set -x
security find-certificate -p -c "$MAC_SIGNING_IDENTITY" | \
openssl x509 -inform PEM -subject -noout -nameopt sname,sep_multiline,space_eq | \
awk '/ OU = / {print $3}'
)
if [ -z "$ou" ]; then
echo "error: Could not determine OU from signing identity '$MAC_SIGNING_IDENTITY'"
exit 1
fi
fi
set -e
# Sign the app. The designated requirements were obtained by watching what Xcode 4.3
# does when it signs for Developer ID.
function sign_one()
{
file="$1"; shift
identifier="$1"; shift
if [ "$MAC_SIGNING_IDENTITY" = "-" ] ; then
codesign --sign "$MAC_SIGNING_IDENTITY" \
--force \
"$file" "$@"
else
codesign --sign "$MAC_SIGNING_IDENTITY" \
--force \
--requirements "=designated => anchor apple generic and identifier \"$identifier\" \
and ((cert leaf[field.1.2.840.113635.100.6.1.9] exists) or \
(certificate 1[field.1.2.840.113635.100.6.2.6] exists and \
certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = \"$ou\" \
))" \
"$file" "$@"
fi
}
function sign_subdir()
{
subdir="$1" ; shift
id_component="$1" ; shift
find "$subdir/" -type f \( -name "*.so" -o -name "*dylib" -o -exec sh -c 'file "$0" | fgrep -qsw Mach-O' {} \; \) -print0 |
while IFS= read -r -d '' file ; do
name=$(basename "$file")
name="${name//[^-a-zA-Z0-9]/-}"
if [ -z "${name/#[^a-zA-Z]*}" ] ; then
name="a-$name"
fi
if [ -z "${name/%*[^a-zA-Z0-9]}" ] ; then
name="$name-0"
fi
identifier="$bundle_id.$id_component.$name"
sign_one "$file" "$identifier" --identifier "$identifier" "$@"
done
}
set -x
# Sign Sparkle framework and pyobjc bundle separately from the app bundle
if [ -d "$app/Contents/Frameworks/Sparkle.framework" ]; then
sign_one "$app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/finish_installation.app" "org.andymatuschak.sparkle.finish-installation" --options runtime
sign_one "$app/Contents/Frameworks/Sparkle.framework" "org.andymatuschak.Sparkle"
fi
sign_subdir "$app/Contents/SharedSupport/$product_id/bin" "bin" --options runtime
for libdir in "$app/Contents/SharedSupport/$product_id"/lib* ; do
sign_subdir "$libdir" "$(basename "$libdir")"
done
# The wine (pre)loaders were already signed with the bin directory, above, but
# we need to re-do it with entitlements
for i in "$app/Contents/SharedSupport/$product_id/bin"/wine*loader*; do
sign_one "$i" "$bundle_id.wineloader" \
--options runtime \
--entitlements "$SRCROOT/wine32on64.entitlements"
done
sign_one "$app" "$bundle_id" --options runtime --entitlements "$SRCROOT/wine32on64.entitlements"
权限文件wine32on64.rights:
一切运行顺利,只有最后一行检查using
spctl--assessment
时返回“无可用签名”。另外,在下载包之后,Gatekeeper仍然需要一个安全异常。问题被证明是多因素的:首先,包中包含两个符号链接<代码>代码设计并不麻烦,但是spctl-a
不喜欢它。我随后用spctl
测试了.zip包,即使删除了符号链接,该包也没有通过测试。在某个时刻,我试图spctl-a
未压缩的.app文件夹,它工作了。所以spctl
似乎不喜欢.zip包
以下是我现在用来签署和公证包裹的文件的整理版本:
#!/bin/bash
# read config
echo "Reading myappleid.config"
. ./myappleid.config
if [ -z "$appleid" ]
then
echo "Error: Please add an entry 'appleid=<your_appleid_here>' to myappleid.config"
exit 1
fi
if [ -z "$aspw" ]
then
echo "Error: Please add an entry 'aspw=<your_app_specific_password_here>' to myappleid.config"
exit 1
fi
echo "Notarisation will use apple id '$appleid'"
# unzip archive to EasyCash&Tax.app folder
echo "Unzipping original package..."
rm -rf EasyCash\&Tax.app
unzip -q easyct-2.38.3-unsigned.zip
# delete symlinks that would prevent Gatekeeper/spctl from passing otherwise
echo "Deleting symlinks"
rm EasyCash\&Tax.app/Contents/SharedSupport/easyct/support/easyct/drive_c/users/crossover/Downloads
rm EasyCash\&Tax.app/Contents/SharedSupport/easyct/support/easyct/drive_c/users/crossover/Templates
# sign the package using Codeweavers script
echo "Signing package..."
./sign_codeV4 $(pwd)/EasyCash\&Tax.app
# archive signed package to a zip for notarisation
ditto -c -k --keepParent EasyCash\&Tax.app EasyCT.zip
# prepare option if team id was set
if [ -z "$ascprov" ]
then
ascprovoption=
else
ascprovoption="--asc-provider"
fi
output=$(xcrun altool --notarize-app --primary-bundle-id de.easyct.easyct $ascprovoption $ascprov -u "$appleid" -p "$aspw" --file EasyCT.zip)
ticket_id=$(echo "$output" | grep RequestUUID | awk '{print $3}')
if [ -z "$ticket_id" ]
then
echo "Error: No ticket id was returned.\n\n$output"
exit 1
fi
echo "Notarization ticket: $ticket_id"
xcrun altool --notarization-info "$ticket_id" -u "$appleid" -p "$aspw"
echo "Stapeling..."
output=$(xcrun stapler staple EasyCash\&Tax.app)
echo $output
stapling_worked=(echo "$output" | grep "The staple and validate action worked")
if [ -z "$stapling_worked" ]
then
echo "Error: stapling didn't work, it seems. Try to run 'xcrun stapler staple EasyCash\\\&Tax.app' and zip EasyCT4Mac.zip manually."
exit 1
fi
echo "Checking stapled EasyCash&Tax.app folder using spctl -a..."
spctl --assess --type open --context context:primary-signature --verbose EasyCash\&Tax.app
echo "Final packaging to EasyCT4Mac.zip..."
ditto -c -k --keepParent EasyCash\&Tax.app EasyCT4Mac.zip
# clean-up temporary zip, used for notarisation
rm EasyCT.zip
#/bin/bash
#读取配置
echo“正在读取myappleid.config”
. ./myappleid.config
如果[-z“$appleid”]
然后
echo“错误:请向myappleid.config添加一个条目'appleid='
出口1
fi
如果[-z“$aspw”]
然后
echo“错误:请将条目'aspw='添加到myappleid.config”
出口1
fi
echo“公证将使用苹果id“$appleid”
#将存档解压缩到EasyCash&Tax.app文件夹
echo“解压缩原始包…”
rm-rf EasyCash\&Tax.app
解压-q easyct-2.38.3-unsigned.zip
#删除会阻止网关守卫/spctl通过的符号链接
回显“删除符号链接”
rm EasyCash\&Tax.app/Contents/SharedSupport/easyct/support/easyct/drive\u c/users/crossover/Downloads
rm EasyCash\&Tax.app/Contents/SharedSupport/easyct/support/easyct/drive\u c/users/crossover/Templates
#使用Codeweavers脚本对包进行签名
echo“签名包…”
./sign_codeV4$(pwd)/EasyCash\&Tax.app
#将签名包存档到zip以进行公证
同上-c-k--keepParent EasyCash\&Tax.app EasyCT.zip
#如果团队id已设置,则准备选项
如果[-z“$ascprov”]
然后
ASCProval选项=
其他的
ascprovoption=“--asc提供程序”
fi
输出=$(xcrun altool--公证应用--主捆绑包id de.easyct.easyct$ascprovoption$ascprov-u“$appleid”-p“$aspw”--文件easyct.zip)
票证id=$(echo“$output”| grep RequestUUID | awk'{print$3}')
如果[-z“$ticket\u id”]
然后
echo“错误:未返回票证id。\n\n$output”
出口1
fi
echo“公证票:$ticket\u id”
xcrun altool--公证信息“$ticket_id”-u“$appleid”-p“$aspw”
回声“静止…”
输出=$(xcrun styper stype EasyCash\&Tax.app)
echo$输出
装订工作=(echo“$output”| grep“装订和验证操作工作”)
如果[-z“$stappling_有效”]
然后
echo“错误:装订似乎不起作用。请尝试手动运行'xcrun STYPER STYPER STYPER EasyCash\\\\\\&Tax.app'和zip EasyCT4Mac.zip。”
出口1
fi
echo“使用spctl-a检查装订好的EasyCash&Tax.app文件夹。”
spctl--assessment--type open--context context:主签名--verbose EasyCash\&Tax.app
echo“最终打包到EasyCT4Mac.zip…”
同上-c-k--keepParent EasyCash\&Tax.app EasyCT4Mac.zip
#清理临时拉链,用于公证
rmeasyct.zip
希望这可能会帮助有类似问题的人。问题是什么?您可以将其缩小为“为什么在签名和公证数据包似乎成功后,'spctl--assessment'return'no available signature'在这里?”.试着删除多余和不必要的信息,比如你写的问题的最上面一段是“太没意思了”。最好的问题是简短、简洁、切中要害,这样志愿者就会更愿意阅读(从而回答)你的问题。
#!/bin/bash
ditto -c -k --keepParent EasyCT.app EasyCT.zip
output=$(xcrun altool --notarize-app --primary-bundle-id de.easyct.easyct --asc-provider "MYTEAMID" -u "my@apple.id" -p "abcd-efgh-ijkl-mnop" --file EasyCT.zip)
ticket_id=$(echo "$output" | grep RequestUUID | awk '{print $3}')
if [ -z "$ticket_id" ]
then
echo "Error: No ticket id was returned.\n\n$output"
exit 1
fi
echo "Notarization ticket: $ticket_id"
xcrun altool --notarization-info "$ticket_id" -u "my@apple.id" -p "abcd-efgh-ijkl-mnop"
xcrun stapler staple EasyCT.app
spctl --assess --type open --context context:primary-signature --verbose EasyCT.zip
#!/bin/bash
# read config
echo "Reading myappleid.config"
. ./myappleid.config
if [ -z "$appleid" ]
then
echo "Error: Please add an entry 'appleid=<your_appleid_here>' to myappleid.config"
exit 1
fi
if [ -z "$aspw" ]
then
echo "Error: Please add an entry 'aspw=<your_app_specific_password_here>' to myappleid.config"
exit 1
fi
echo "Notarisation will use apple id '$appleid'"
# unzip archive to EasyCash&Tax.app folder
echo "Unzipping original package..."
rm -rf EasyCash\&Tax.app
unzip -q easyct-2.38.3-unsigned.zip
# delete symlinks that would prevent Gatekeeper/spctl from passing otherwise
echo "Deleting symlinks"
rm EasyCash\&Tax.app/Contents/SharedSupport/easyct/support/easyct/drive_c/users/crossover/Downloads
rm EasyCash\&Tax.app/Contents/SharedSupport/easyct/support/easyct/drive_c/users/crossover/Templates
# sign the package using Codeweavers script
echo "Signing package..."
./sign_codeV4 $(pwd)/EasyCash\&Tax.app
# archive signed package to a zip for notarisation
ditto -c -k --keepParent EasyCash\&Tax.app EasyCT.zip
# prepare option if team id was set
if [ -z "$ascprov" ]
then
ascprovoption=
else
ascprovoption="--asc-provider"
fi
output=$(xcrun altool --notarize-app --primary-bundle-id de.easyct.easyct $ascprovoption $ascprov -u "$appleid" -p "$aspw" --file EasyCT.zip)
ticket_id=$(echo "$output" | grep RequestUUID | awk '{print $3}')
if [ -z "$ticket_id" ]
then
echo "Error: No ticket id was returned.\n\n$output"
exit 1
fi
echo "Notarization ticket: $ticket_id"
xcrun altool --notarization-info "$ticket_id" -u "$appleid" -p "$aspw"
echo "Stapeling..."
output=$(xcrun stapler staple EasyCash\&Tax.app)
echo $output
stapling_worked=(echo "$output" | grep "The staple and validate action worked")
if [ -z "$stapling_worked" ]
then
echo "Error: stapling didn't work, it seems. Try to run 'xcrun stapler staple EasyCash\\\&Tax.app' and zip EasyCT4Mac.zip manually."
exit 1
fi
echo "Checking stapled EasyCash&Tax.app folder using spctl -a..."
spctl --assess --type open --context context:primary-signature --verbose EasyCash\&Tax.app
echo "Final packaging to EasyCT4Mac.zip..."
ditto -c -k --keepParent EasyCash\&Tax.app EasyCT4Mac.zip
# clean-up temporary zip, used for notarisation
rm EasyCT.zip