Mac OS Gatekeeper阻止签名的命令行工具 [英] Mac OS Gatekeeper blocking signed command line tool
问题描述
我在Xcode中有一个命令行工具"目标(不是App捆绑包),被Gatekeeper阻止.多年来,我一直使用此工具作为PostCheck通讯簿插件的简单安装程序.
I have a "command line tool" target (not an App bundle) in Xcode that is being blocked by Gatekeeper. I've used this tool for years as a simple installer for my PostCheck Address Book plugin.
2012年,我用我的Apple Developer ID对该工具进行了签名,以使它不会被Gatekeeper阻止,并且一切正常.我现在注意到,使用macOS Sierra(10.12)时,它已被阻止,并且在测试过程中,我还发现它也被10.11.6阻止了. (当我说被阻止时,我的意思是用户必须右键单击它并选择打开",而不是在警告对话框中选择该选项.)在10.11.2上仍然可以正常使用! –如果我还记得,Mac OS X 10.11.4有一个错误,即使已签名非应用程序捆绑包,它也会阻止,但我认为该问题已在10.11.5中修复.也许是相关的?
In 2012 I signed the tool with my Apple Developer ID so that it wouldn't be blocked by Gatekeeper and all was well for a while. I've now noticed that with macOS Sierra (10.12) that it's now being blocked, and during testing I've also found that it's blocked by 10.11.6 as well. (When I say blocked, I mean the user has to right-click on it and choose 'open' instead of being given the option in the warning dialog.) It still works fine with 10.11.2! – If I recall, Mac OS X 10.11.4 had a bug that blocked non-app bundles even if they were signed, but I think that problem was fixed in 10.11.5. Maybe it's related?
我尝试用Sierra下的Xcode 8重新编译并重新签名可执行文件.我尝试将Info.plist嵌入到二进制文件中(我之前没有做过).我尝试过归档,而不仅仅是构建",以防调试和发行版配置出现问题.我花了两天时间来搜索用于验证我的可执行文件是否正确签名的方法,看似结果相互矛盾……
I've tried re-compiling and re-signing the executable with Xcode 8 under Sierra. I tried embedding an Info.plist in the binary (which I hadn't done before). I've tried archiving rather than just "building" in case it was an issue with debug vs. release configurations. I've spent two days searching methods for validating my executable is signed properly, seemingly with conflicting results…
有这个:
codesign --verify --verbose <executable>
<executable>: valid on disk
<executable>: satisfies its Designated Requirement
这:
spctl --assess --verbose <executable>
<executable>: rejected (the code is valid but does not seem to be an app)
source=matched cdhash
这:
spctl -a -v --raw <executable>
<executable>: accepted
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>assessment:authority</key>
<dict>
<key>assessment:authority:flags</key>
<integer>0</integer>
<key>assessment:authority:source</key>
<string>allowed cdhash</string>
<key>assessment:authority:weak</key>
<true/>
</dict>
<key>assessment:cserror</key>
<integer>-67002</integer>
<key>assessment:remote</key>
<true/>
<key>assessment:verdict</key>
<true/>
</dict>
</plist>
我想部分问题是我不知道在使用有效的Apple Developer ID签名后,命令行可执行文件应该是什么样子.而且我也不知道这是否是macOS问题,我无论如何也无能为力.对于Google来说,命令行工具和代码签名问题都非常困难,要找到与命令行Unix可执行文件的代码签名实际上相关的东西.
I suppose part of my problem is I don't know what a command line executable is supposed to look like after being signed with a valid Apple Developer ID. And I also don't know if it's a macOS problem that I can't do anything about anyway. It's also extremely difficult to Google for both command line tools and code signing problems and find something actually related to code signing a command line Unix executable.
我非常感谢您对这里可能发生的情况有任何见解.谢谢!
I appreciate any insight into what might be going on here. Thanks!
推荐答案
我不愿回答我的问题,但是如果有人遇到同样的问题:
I hate to answer my questions, but in case anyone comes across this same problem:
解决方案是将命令行工具分发到已签名的磁盘映像上,而不是zip文件中.
我最终测试回到10.11.4,并确认那是麻烦开始的时候. (那时候我肯定已经对它进行了不正确的测试.)无论我如何签名,OS X都只是阻止双击Unix命令行工具.这可能是最好的选择,因为大多数命令行工具都将在Terminal.app中运行.
I ended up testing back to 10.11.4 and confirmed that's when the trouble began. (I must have been testing it improperly back then.) OS X simply blocks double-clicking a Unix Command Line Tool, no matter how I sign it. It's probably for the best as most command line tools will be run from within Terminal.app.
对于Sierra来说,无论如何我还是需要签名的DMG来解决Gatekeeper的新路径随机化功能.
For Sierra, it turned out I needed the signed DMG anyway to get around the new Path Randomization feature of Gatekeeper.
这篇关于Mac OS Gatekeeper阻止签名的命令行工具的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
