Codesign App that uses XojoScript (using AppWrapper)

  1. 3 months ago

    Paul L

    Jul 22 Pre-Release Testers Toronto
    Edited 3 months ago

    Hi,

    I was able to successfully codesign and notarize my App for Catalina but it seems there are some issues with XojoScript. I get the following crash when running a script;

    System Integrity Protection: enabled
    
    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_BAD_ACCESS (Code Signature Invalid)
    Exception Codes:       0x0000000000000032, 0x00000001110dd000
    Exception Note:        EXC_CORPSE_NOTIFY
    
    Termination Reason:    Namespace CODESIGNING, Code 0x2
    
    kernel messages:
    
    VM Regions Near 0x1110dd000:
        CoreImage              00000001110dc000-00000001110dd000 [    4K] rw-/rwx SM=PRV  
    --> VM_ALLOCATE            00000001110dd000-00000001110df000 [    8K] r-x/rwx SM=COW  
        CoreImage              00000001110df000-00000001110e0000 [    4K] rw-/rwx SM=PRV  

    Has anyone successfully codesigned an App that uses XojoScript?

    It would be great if this can be done right from AppWrapper, but I'm not sure what settings to use if it is possible.

    Thanks!

  2. Beatrix W

    Jul 22 Pre-Release Testers, Third Party Store Europe (Germany)

    Did you set the correct entitlement for XojoScript?

  3. Paul L

    Jul 22 Pre-Release Testers Toronto

    @Beatrix W Did you set the correct entitlement for XojoScript?

    I did not, because I can't find what they are, or how to set them.

    Do you have instructions for how to set them? Preferably using AppWrapper.

    Thank you!
    - Paul

  4. Christoph D

    Jul 22 Pre-Release Testers, Xojo Pro

    I think you can only add an entitlement to use Applescript, not Xojoscript.

  5. Oliver O

    Jul 22 Pre-Release Testers, Xojo Pro https://udemy.seminar.pro

    This thread may help:
    https://forum.xojo.com/53334-fyi-notarizing-your-app-before-distribution-macos-10-14-5-and-b/p5#p440993

  6. Paul L

    Jul 22 Pre-Release Testers Toronto
    Edited 3 months ago

    Thank you everyone for the help!

    I was able to edit the mainApplication.entitlements file for AppWrapper for my app and added these entitlements that file;

    (this file is located at ~/Library/Application Support/com.ohanaware.appWrapper3/<your app bundle>)

    com.apple.security.cs.allow-unsigned-executable-memory
    com.apple.security.cs.allow-jit

    After codesigning and notarizing XojoScript is now running on Catalina beta 4.

    I am not sure if this is the correct way to add these custom entitlements to AppWrapper or if there is a more straightforward way. This file may get overwritten at some point by AppWrapper. Maybe @Sam R can suggest a better way.

    Thanks!

  7. @Paul L — Personally, I use an IDEScript to set entitlements and sign my apps (so the debug versions also have entitlements/signature). Here is my script:

    //# Sign app
    
    dim appPath as String
    
    appPath = CurrentBuildLocationNative + "/" + CurrentBuildAppName + ".app"
    
    // First, clear xattr (finderInfo) which are not supported by codesign
    dim command as String
    
    command = "/usr/bin/xattr -cr """ + appPath + """"
    
    dim result as string = DoShellCommand( command )
    
    if result<>"" then
      Print( "[xattr]: " + result )
      return
    end if
    
    // Find entitlements
    dim entitlementsPath as string
    entitlementsPath = <YOUR PATH HERE>
    
    // Then codesign
    command = "codesign -f --deep --entitlements """ + entitlementsPath + """ -s ""<YOUR APPLE ID HERE>"" """ + appPath + """"
    
    result = DoShellCommand( command )
    
    if result<>"" then
      Print( "[codesign]: " + result )
    end if

    Note that I usually prefer to use my email address as my Apple ID, if it ever makes a difference.

  8. Paul L

    Jul 22 Pre-Release Testers Toronto
    Edited 3 months ago

    Hi Stéphane,

    Thanks for sharing your IDEScript, I will test it out here and see how it works for me.

  9. Sam R

    Jul 22 Pre-Release Testers, Xojo Pro, Third Party Store Hengchun, Pingtung, Taiwan

    Check out App Wrapper 3.9.1 (released today, select "Update" from the "App Wrapper" menu). Which has these new options added to the Capabilities pane.

    Direct download: https://www.ohanaware.com/appwrapper/appWrapper3.dmg

  10. Oliver O

    Jul 23 Pre-Release Testers, Xojo Pro https://udemy.seminar.pro
    Edited 3 months ago

    @Sam R Check out App Wrapper 3.9.1 (released today, select "Update" from the "App Wrapper" menu). Which has these new options added to the Capabilities pane.

    Direct download: https://www.ohanaware.com/appwrapper/appWrapper3.dmg

    It works like a charm now! Now my app is executing XojoScripts as before, but now the app is sandboxed AND notarized.

    Great work Sam, thanks a lot!

    And for those of you interested: This is the complete list of the hardened runtime entitlements:
    https://developer.apple.com/documentation/security/hardened_runtime_entitlements

  11. Paul L

    Jul 23 Pre-Release Testers Toronto

    Thanks @Sam R ! Everything seems to be working great!

or Sign Up to reply!