Codesign App that uses XojoScript (using AppWrapper)

Hi,

I was able to successfully codesign and notarize my App for Catalina but it seems there are some issues with XojoScript. I get the following crash when running a script;

[code]System Integrity Protection: enabled

Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Exception Type: EXC_BAD_ACCESS (Code Signature Invalid)
Exception Codes: 0x0000000000000032, 0x00000001110dd000
Exception Note: EXC_CORPSE_NOTIFY

Termination Reason: Namespace CODESIGNING, Code 0x2

kernel messages:

VM Regions Near 0x1110dd000:
CoreImage 00000001110dc000-00000001110dd000 [ 4K] rw-/rwx SM=PRV
–> VM_ALLOCATE 00000001110dd000-00000001110df000 [ 8K] r-x/rwx SM=COW
CoreImage 00000001110df000-00000001110e0000 [ 4K] rw-/rwx SM=PRV
[/code]

Has anyone successfully codesigned an App that uses XojoScript?

It would be great if this can be done right from AppWrapper, but I’m not sure what settings to use if it is possible.

Thanks!

Did you set the correct entitlement for XojoScript?

I did not, because I can’t find what they are, or how to set them.

Do you have instructions for how to set them? Preferably using AppWrapper.

Thank you!

  • Paul

I think you can only add an entitlement to use Applescript, not Xojoscript.

This thread may help:
https://forum.xojo.com/53334-fyi-notarizing-your-app-before-distribution-macos-10-14-5-and-b/p5#p440993

Thank you everyone for the help!

I was able to edit the mainApplication.entitlements file for AppWrapper for my app and added these entitlements that file;

(this file is located at ~/Library/Application Support/com.ohanaware.appWrapper3/)

com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.allow-jit

After codesigning and notarizing XojoScript is now running on Catalina beta 4.

I am not sure if this is the correct way to add these custom entitlements to AppWrapper or if there is a more straightforward way. This file may get overwritten at some point by AppWrapper. Maybe @Sam Rowlands can suggest a better way.

Thanks!

@Paul Levine — Personally, I use an IDEScript to set entitlements and sign my apps (so the debug versions also have entitlements/signature). Here is my script:

[code]//# Sign app

dim appPath as String

appPath = CurrentBuildLocationNative + “/” + CurrentBuildAppName + “.app”

// First, clear xattr (finderInfo) which are not supported by codesign
dim command as String

command = “/usr/bin/xattr -cr “”” + appPath + “”""

dim result as string = DoShellCommand( command )

if result<>"" then
Print( "[xattr]: " + result )
return
end if

// Find entitlements
dim entitlementsPath as string
entitlementsPath =

// Then codesign
command = “codesign -f --deep --entitlements “”” + entitlementsPath + “”" -s “”"" “”" + appPath + “”""

result = DoShellCommand( command )

if result<>"" then
Print( "[codesign]: " + result )
end if[/code]

Note that I usually prefer to use my email address as my Apple ID, if it ever makes a difference.

Hi Stphane,

Thanks for sharing your IDEScript, I will test it out here and see how it works for me.

Check out App Wrapper 3.9.1 (released today, select “Update” from the “App Wrapper” menu). Which has these new options added to the Capabilities pane.

Direct download: https://www.ohanaware.com/appwrapper/appWrapper3.dmg

[quote=446244:@Sam Rowlands]Check out App Wrapper 3.9.1 (released today, select “Update” from the “App Wrapper” menu). Which has these new options added to the Capabilities pane.

Direct download: https://www.ohanaware.com/appwrapper/appWrapper3.dmg[/quote]

It works like a charm now! Now my app is executing XojoScripts as before, but now the app is sandboxed AND notarized.

Great work Sam, thanks a lot!

And for those of you interested: This is the complete list of the hardened runtime entitlements:
https://developer.apple.com/documentation/security/hardened_runtime_entitlements

Thanks @Sam Rowlands ! Everything seems to be working great!