systa on macOS Big Sur

Question

systa on macOS Big Sur

Hi,

I've gone ahead and made `systa` executable using `chmod u+x systa`. When I run it, macOS tells me that it cannot be verified by the developer. I'm assuming this has something to do with signing the file? Do we need to sign `systa` with our own certs to get it to work as well for packaging and shipping it with our NodeJS application? Please advise.

Thanks,

Arie

Apr 11, 2021

Wyatt O'Day · Answer 1 · 2021-04-12T00:14:32Z

Yes, sign it with your own certs.

Arie Stavchansky · Answer 2 · 2021-04-12T03:04:00Z

Thanks, Wyatt.

I am signing both the `systa` and the `libTurboActivate.dylib" files like so:

codesign --verbose --force --timestamp --sign "Developer ID Application: My Company, Inc. (XXXXXXXXXX)" "${limelm_helper}"

codesign --verbose --force --timestamp --sign "Developer ID Application: My Company, Inc. (XXXXXXXXXX)" "${limelm_lib}"

This outputs the following:

Signing WyDay Licensing Helper App...
/Dev/myapp/licensing/macOS/systa: replacing existing signature
/Dev/myapp/licensing/macOS/systa: signed Mach-O universal (x86_64 arm64) [systa]


Signing WyDay Licensing Library...
/Dev/myapp/licensing/macOS/libTurboActivate.dylib: replacing existing signature
/Dev/myapp/licensing/macOS/libTurboActivate.dylib: signed Mach-O universal (x86_64 arm64) [libTurboActivate]

So it appears that the files do get signed. Now, I've got the `systa`, `libTurboActivate.dylib`, and the `TurboActivate.dat` files in one directory. When I run `systa` I am presented with a GUI alert / error message from macOS stating:

“libTurboActivate.dylib” can’t be opened because Apple cannot check it for malicious software. This software needs to be updated. Contact the developer for more information.
Chrome downloaded this file today at 1:51 PM from wyday.com.

In the terminal after running `systa` I seeing the following:

dyld: Library not loaded: @rpath/libTurboActivate.dylib
  Referenced from: /Dev/myapp/licensing/macOS/./systa
  Reason: no suitable image found.  Did find:
	/Dev/myapp/licensing/macOS/./libTurboActivate.dylib: code signature in (/Dev/myapp/licensing/macOS/./libTurboActivate.dylib) not valid for use in process using Library Validation: library load disallowed by system policy
	/Dev/myapp/licensing/macOS/./libTurboActivate.dylib: stat() failed with errno=1
zsh: abort      ./systa

Is there a particular set of flags and values that need to be used to sign the libTurboActivate.dylib file?

Thanks!

Wyatt O'Day · Answer 3 · 2021-04-15T15:40:51Z

Looks like we might have to start signing executables on macOS again. Unfortunately it's a pain in the ass to get these certs because Apple inexplicably uses the defunct / outsourced, “Dun & Bradstreet" for “reputation information”.

So, we'll start this process, but no hard date on when we actually get usable certs from Apple.

Arie Stavchansky · Answer 4 · 2021-04-15T17:50:18Z

I think we are going to have to create a .pkg installer for the NodeJS app unfortunately. This will allow us to harden the .dylib via their notarization system. They don't allow devs to just send up .dylibs — they have to be a part of a package or runtime. Thanks for the clarification, and for adding this to an internal ticket, but I totally understand about timelines.

LimeLM
Overview Pricing & Sign up Why LimeLM? Tour Log in Help
wyBuild
Overview Pricing & Buy Features What's new Help
Support forum
wyDay blog
wyDay Home
Downloads Buy Contact us Careers

Guest name
Youʼre not logged-in, but you can still post as a guest.

Email