2021年9月21日 星期二

Mac install and kext 公證方式!

 


----------------------------------------

Author: Sam

Date: 2021/08/05

----------------------------------------


*******************************************************************

** ProjectMaker .mpkg 增加 Apple Sign

## productsign --sign "Developer ID Application:  User"  Source_Path  Target_Path

## productsign --sign "Developer ID Installer: User"  Source_Path  Target_Path

*******************************************************************

EX.

productsign --sign "Developer ID Application: User)" \

/Users/accusys/Desktop/Accusys_Mac_Driver_257_Beta4.mpkg \

/Users/accusys/Desktop/Accusys_Mac_Driver_257_Beta4_Sign1.mpkg



*******************************************************************

** 確認ProjectMaker .mpkg 檔案 Sign 狀態

## pkgutil --check-signature /path/to/file.pkg

*******************************************************************

EX1.

# pkgutil --check-signature Accusys_Mac_Driver_257_Beta4.mpkg 

Package "Accusys_Mac_Driver_257_Beta4":

   Status: no signature


EX2.

# pkgutil --check-signature Accusys_Mac_Driver_257_Beta4_Sign.mpkg 

Package "Accusys_Mac_Driver_257_Beta4_Sign":

   Status: signed by a certificate trusted by macOS

   Certificate Chain:

    1. Developer ID Application: User

       Expires: 2023-09-08 08:17:40 +0000

       SHA256 Fingerprint:

           ED 2E 67 F9 F1 28 70 BC DC 87 00 CA D5 99 59 B5 86 C6 69 F2 47 C7 

           A2 82 91 34 8C 58 A1 C4 4C 74

       ------------------------------------------------------------------------

    2. Developer ID Certification Authority

       Expires: 2027-02-01 22:12:15 +0000

       SHA256 Fingerprint:

           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 

           F2 9C 88 CF B0 B1 BA 63 58 7F

       ------------------------------------------------------------------------

    3. Apple Root CA

       Expires: 2035-02-09 21:40:36 +0000

       SHA256 Fingerprint:

           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 

           68 C5 BE 91 B5 A1 10 01 F0 24




----------------------------------------

** Apple Kext 公證方式教學

** https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?preferredLanguage=occ

** https://juejin.cn/post/6894059183453241357

----------------------------------------

** 您的(Sam) App 專用密碼 Accusys Kext:  xxxx-xxxx-xxxx-xxxx

----------------------------------------

**

** Notarize 前準備

**

1.  先將APLLE ID 升級為 Apple ID 雙重認證.

2.  在APPLE ID 帳戶 Security 選項, 新增 APP-SPECIFIC PASSWORDS.

    這組密碼用來公證時使用的密碼.



*******************************************************************

**  選擇Xcode

##  sudo xcode-select -s /path/to/Xcode13.app

*******************************************************************

EX.

# xcode-select -s /Applications/Xcode-13beta2.app/



*******************************************************************

** Add Timestamp from kext

## codesign --timestamp -f -s "Developer ID Application: xxxx (xxxxx)" xxx.kext

*******************************************************************

EX.

# codesign --timestamp -f -s "Developer ID Application: User" ACS6x.kext

codesign -s "Developer ID Application: User" --options runtime -f --timestamp ACS6x.kext

驗證方式:

# codesign -dvvv ACS6x.kext

可以看到  "Signed Time=Jul 15, 2021 at 3:24:24 PM"

    改為  "Timestamp=Jul 15, 2021 at 3:35:21 PM"



*******************************************************************

** Add hardened runtime flag

## codesign --options=runtime --timestamp -f -s "Developer ID Application: xxxx (xxxxx)" DtrGuiSrv01_64

*******************************************************************


*******************************************************************

** Create a ZIP archive suitable for notarization.

## /usr/bin/ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"

*******************************************************************

EX.

# ditto -c -k --keepParent /Users/accusys/Desktop/ACS6x.kext /Users/accusys/Desktop/ACS6x.kext.zip



*******************************************************************

** Notarize kext

## xcrun altool --notarize-app -f Source_path \

## --primary-bundle-id  "User_define_ID" (使用者自行定義,可用於版本區分)

## -u "Apple ID" -p "Apple ID 額外聲請第三方使用密碼"

## 成功後可以得到一組Request UUID, 等待約15分後請用查詢指令確認狀態

*******************************************************************

EX.

#xcrun altool --notarize-app -f /Users/accusys/Desktop/ACS6x.kext.zip \

--primary-bundle-id "com.Accusys.driver.368Intel" \

-u "User" -p "User"


Cmd Reply:

No errors uploading '/Users/accusys/Desktop/ACS6x.kext.zip'.

RequestUUID = 2b945190-d915-48ae-99c9-526235a7d8ec



*******************************************************************

** 確認公證狀態, 看全部資訊

## xcrun altool --notarization-history 0 --username "xxxx" --password "xxxx" 

*******************************************************************

EX.

# xcrun altool --notarization-history 0 -u "User" -p "User"


Cmd Reply:

Notarization History - page 0


Date                      RequestUUID                          Status  Status Code Status Message   

------------------------- ------------------------------------ ------- ----------- ---------------- 

2021-07-12 09:02:10 +0000 81a4299c-66d1-4016-907b-0bf53eb4432b invalid 2           Package Invalid  

2021-07-12 08:47:31 +0000 3e92f8ec-77f5-42a8-baa4-d6a6fe3b8066 success 0           Package Approved 


Next page value: 1626079651000



*******************************************************************

** 確認公證狀態, 看特定RequestUUID 細節

## xcrun altool --notarization-info "Request UUID" -u "APPLE ID" -p " App password"

## 特別注意上面附有LogFileURL, 不管對錯都可以從裡面看到相關資訊

*******************************************************************

EX1.

sh-3.2# xcrun altool --notarization-info 3e92f8ec-77f5-42a8-baa4-d6a6fe3b8066 -u "User" -p "User"

No errors getting notarization info.


          Date: 2021-07-12 08:47:31 +0000

          Hash: c3d9426297775094427e026e2fb9f423d3322dc3f79846d28deebf378fcc8813

    LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma115/v4/a7/b1/8c/a7b18cd7-dc24-0bb3-bfd0-de9ca3b701b6/developer_log.json?accessKey=1626295600_6591354106415281256_xhl7DLpqT8rtDFSq3EAx1og5tezk43VkktZ87vI%2Ba4sID7bwj7vc%2FhH9mECv7fpFMn2wp1au4z1CKOHXQ1uY91Fin%2BIEQyjF9U3dBC%2FvN18NM%2FnTVecPeyLzkRVtqpH%2B%2BfTjF4liBudo8Nuyc7V6RBOVIG8m7exygsN7PdOvQxY%3D

   RequestUUID: 3e92f8ec-77f5-42a8-baa4-d6a6fe3b8066

        Status: success

   Status Code: 0

Status Message: Package Approved


EX2.

sh-3.2# xcrun altool --notarization-info 81a4299c-66d1-4016-907b-0bf53eb4432b -u "User" -p "User"

No errors getting notarization info.


          Date: 2021-07-12 09:02:10 +0000

          Hash: 88749476df828b14a4c6f2b9de0eccf2ed605565f2bf327dcf2d208988f4d19a

    LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma115/v4/53/53/e1/5353e10a-445f-1b9c-9d88-4eef3088bb0c/developer_log.json?accessKey=1626295070_8353744305349471620_keVak2QrHUsMplR%2FuUAFQ0kASGO%2BVRlE6VTIh8VTaMe1ZX5V6ztRT3r54Nj317wTzpWfF851zAsfWeoTSNWcxOiBrHhWwfgPepzgmNVfs2WKeRqPRs%2FFaxCqOHiRv6YybiKDox2GQ1MzXEGOLG0y23sS%2B6P6DxelSgKqo3ub0J8%3D

   RequestUUID: 81a4299c-66d1-4016-907b-0bf53eb4432b

        Status: invalid

   Status Code: 2

Status Message: Package Invalid



*******************************************************************

** KEXT公證過後APPLE如何確定是否公證過, 後續需要多做一個裝訂的程序將票證裝在KEXT.

** 一旦對應用程序進行了公證,Apple便為開發人員提供了“票證”,可以將其“裝訂”到經過公證的對像上。

** 此時裝訂的過程要連接網, 由APPLE 回傳確定是否通過公證,若有則會裝訂票證到檔案.

** 如果未裝訂應用程序或kext,Internet連接下,則在加載應用程序/ kext時,macOS會使用Apple服務器簽入,以查看是否可以正常運行。

** 如果未裝訂應用程序或kext,Internet未連接下,因無法判斷是否通過公證,會直接當作無公證,導致載入時失敗.

** 具體可通過stapler工具來裝訂:

## sudo xcrun stapler staple xxxx.kext

## sudo xcrun stapler staple -v xxxx.kext 可以看詳細內容

*******************************************************************

EX.

# sudo xcrun stapler staple ACS6x.kext


Cmd Reply:

Processing: /Users/Accusys/Desktop/ACS6x.kext

The staple and validate action worked!



*******************************************************************

** 驗證是否裝訂完成 xxxxx.kext

## sudo xcrun stapler validate xxxxx.kext

## sudo xcrun stapler validate -v xxxxx.kext 可以看詳細內容

*******************************************************************

EX.

# sudo xcrun stapler validate ACS6x.kext


Cmd Reply:

The validate action worked!



*******************************************************************

** 對於APP的公證權限驗證

## spctl -a -v xxxx.app

*******************************************************************

** 對於pkg包的公證權限驗證

## spctl -v -a --type install xxx.pkg

*******************************************************************

EX1.

sh-3.2#  spctl -v -a --type install R_MacDrv_V6.2.16.pkg 

R_MacDrv_V6.2.16.pkg: accepted

source=Notarized Developer ID


EX2.

sh-3.2#  spctl -v -a --type install Accusys_Mac_BigSur_3.7.1s.mpkg/

Accusys_Mac_BigSur_3.7.1s.mpkg/: rejected

source=Unnotarized Developer ID





沒有留言:

張貼留言