[MB-7250] Mac OS X App should be signed by a valid developer key Created: 22/Nov/12 Updated: 16/May/13 |
|
| Status: | In Progress |
| Project: | Couchbase Server |
| Component/s: | build |
| Affects Version/s: | 2.0-beta-2, 2.0.2 |
| Fix Version/s: | 2.0.2 |
| Security Level: | Public |
| Type: | Improvement | Priority: | Blocker |
| Reporter: | J Chris Anderson | Assignee: | Phil Labee |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
Screen Shot 2013-02-17 at 9.17.16 PM.png
Screen Shot 2013-04-04 at 3.57.41 PM.png
ss_2013-04-03_at_1.06.39 PM.png
|
| Description |
|
Currently launching the Mac OS X version tells you it's from an unidentified developer. You have to right click to launch the app. We can fix this.
|
| Comments |
| Comment by Farshid Ghods [ 22/Nov/12 ] |
|
Chris,
do you know what needs to change on the build machine to embed our developer key ? |
| Comment by J Chris Anderson [ 22/Nov/12 ] |
| I have no idea. I could start researching how to get a key from Apple but maybe after the weekend. :) |
| Comment by Farshid Ghods [ 22/Nov/12 ] |
|
we can discuss this next week : ) . Thanks for reporting the issue Chris.
|
| Comment by Steve Yen [ 26/Nov/12 ] |
| we'll want separate, related bugs (tasks) for other platforms, too (windows, linux) |
| Comment by Jens Alfke [ 30/Nov/12 ] |
|
We need to get a developer ID from Apple; this will give us some kind of cert, and a local private key for signing.
Then we need to figure out how to get that key and cert onto the build machine, in the Keychain of the account that runs the buildbot. |
| Comment by Farshid Ghods [ 02/Jan/13 ] |
|
the instructions to build is available here :
https://github.com/couchbase/couchdbx-app we need to add codesign as a build step there |
| Comment by Farshid Ghods [ 22/Jan/13 ] |
|
Phil,
do you have any update on this ticket. ? |
| Comment by Phil Labee [ 22/Jan/13 ] |
|
I have signing cert installed on 10.17.21.150 (MacBuild).
Change to Makefile: http://review.couchbase.org/#/c/24149/ |
| Comment by Phil Labee [ 23/Jan/13 ] |
| need to change master.cfg and pass env.var. to package-mac |
| Comment by Phil Labee [ 29/Jan/13 ] |
|
disregard previous. Have added signing to Xcode projects.
see http://review.couchbase.org/#/c/24273/ |
| Comment by Phil Labee [ 31/Jan/13 ] |
|
To test this go to System Preferences / Security & Privacy, and on the General tab set "Allow applications downloaded from" to "Mac App Store and Identified Developers". Set this before running Couchbase Server.app the first time. Once an app has been allowed to run this setting is no longer checked for that app, and there doesn't seem to be a way to reset that.
What is odd is that on my system, I allowed one unsigned build to run before restricting the app run setting, and then no other unsigned builds would be checked (and would all be allowed to run). Either there is a flaw in my testing methodology, or a serious weakness in this security setting: Just because one app called Couchbase Server was allowed to run should confer this privilege to other apps with the same name. A common malware tactic is to modify a trusted app and distribute it as update, and if the security setting keys off the app name it will do nothing to prevent that. I'm approving this change without having satisfactorily tested it. |
| Comment by Jens Alfke [ 31/Jan/13 ] |
|
Strictly speaking it's not the app name but its bundle ID, i.e. "com.couchbase.CouchbaseServer" or whatever we use.
> I allowed one unsigned build to run before restricting the app run setting, and then no other unsigned builds would be checked By OK'ing an unsigned app you're basically agreeing to toss security out the window, at least for that app. This feature is really just a workaround for older apps. By OK'ing the app you're not really saying "yes, I trust this build of this app" so much as "yes, I agree to run this app even though I don't trust it". > A common malware tactic is to modify a trusted app and distribute it as update If it's a trusted app it's hopefully been signed, so the user wouldn't have had to waive signature checking for it. |
| Comment by Jens Alfke [ 31/Jan/13 ] |
| Further thought: It might be a good idea to change the bundle ID in the new signed version of the app, because users of 2.0 with strict security settings have presumably already bypassed security on the unsigned version. |
| Comment by Jin Lim [ 04/Feb/13 ] |
| Per bug scrubs, keep this a blocker since customers ran into this issues (and originally reported it). |
| Comment by Phil Labee [ 06/Feb/13 ] |
| revert the change so that builds can complete. App is currently not being signed. |
| Comment by Farshid Ghods [ 11/Feb/13 ] |
| i suggest for 2.0.1 release we do this build manually. |
| Comment by Jin Lim [ 11/Feb/13 ] |
| As one-off fix, add the signature manually and automate the required steps later in 2.0.2 or beyond. |
| Comment by Jin Lim [ 13/Feb/13 ] |
| Please move this bug to 2.0.2 after populating the required signature manually. I am lowing the severity to critical for it isn't no longer a blocking issue. |
| Comment by Farshid Ghods [ 15/Feb/13 ] |
| Phil to upload the binary to latestbuilds , ( 2.0.1-101-rel.zip ) |
| Comment by Phil Labee [ 15/Feb/13 ] |
|
Please verify: http://packages.northscale.com/latestbuilds/couchbase-server-community_x86_64_2.0.1-160-rel-signed.zip |
| Comment by Phil Labee [ 15/Feb/13 ] |
|
uploaded:
http://packages.northscale.com/latestbuilds/couchbase-server-community_x86_64_2.0.1-160-rel-signed.zip I can rename it when uploading for release. |
| Comment by Farshid Ghods [ 17/Feb/13 ] |
|
i still do get the error that it is from an identified developer. |
| Comment by Phil Labee [ 18/Feb/13 ] |
|
operator error. I rebuilt the app, this time verifying that the codesign step occurred. Uploaded now file to same location: http://packages.northscale.com/latestbuilds/couchbase-server-community_x86_64_2.0.1-160-rel-signed.zip |
| Comment by Phil Labee [ 26/Feb/13 ] |
| still need to perform manual workaround |
| Comment by Phil Labee [ 04/Mar/13 ] |
|
release candidate has been uploaded to: http://packages.northscale.com/latestbuilds/couchbase-server-community_x86_64_2.0.1-172-signed.zip |
| Comment by Wayne Siu [ 03/Apr/13 ] |
| Phil, looks like version 172/185 is still getting the error. My Mac version is 10.8.2 |
| Comment by Thuan Nguyen [ 03/Apr/13 ] |
| Install couchbase server (build 2.0.1-172 community version) in my mac osx 10.7.4 , I only see the warning message |
| Comment by Wayne Siu [ 03/Apr/13 ] |
| Latest version (04.03.13) : http://builds.hq.northscale.net/latestbuilds/couchbase-server-community_x86_64_2.0.1-185-rel.zip |
| Comment by Maria McDuff [ 03/Apr/13 ] |
|
works in 10.7 but not in 10.8. if we can get the fix for 10.8 by tomorrow, end of day, QE is willing to test for release on tuesday, april 9. |
| Comment by Phil Labee [ 04/Apr/13 ] |
|
The mac builds are not being automatically signed, so build 185 is not signed. The original 172 is also not signed. Did you try http://packages.northscale.com/latestbuilds/couchbase-server-community_x86_64_2.0.1-172-signed.zip to see if that was signed correctly? |
| Comment by Wayne Siu [ 04/Apr/13 ] |
|
Phil, Yes, we did try the 172-signed version. It works on 10.7 but not 10.8. Can you take a look? |
| Comment by Phil Labee [ 04/Apr/13 ] |
|
I rebuilt 2.0.1-185 and uploaded a signed app to: http://packages.northscale.com/latestbuilds/couchbase-server-community_x86_64_2.0.1-185-rel.SIGNED.zip Test on a machine that has never had Couchbase Server installed, and has the security setting to only allow Appstore or signed apps. If you get the "Couchbase Server.app was downloaded from the internet" warning and you can click OK and install it, then this bug is fixed. The quarantining of files downloaded by a browser is part of the operating system and is not controlled by signing. |
| Comment by Wayne Siu [ 04/Apr/13 ] |
| Tried the 185-signed version (see attached screen shot). Same error message. |
| Comment by Phil Labee [ 04/Apr/13 ] |
|
This is not an error message related to this bug. |
| Comment by Maria McDuff [ 14/May/13 ] |
| per bug triage, we need to have mac 10.8 osx working since it is a supported platform (published in the website). |