[PD-dev] How to create an unsigned Pd.app?

Dan Wilcox danomatika at gmail.com
Wed Jun 10 14:41:35 CEST 2020 

Howdy Roman,

> On Jun 10, 2020, at 12:00 PM, pd-dev-request at lists.iem.at wrote:
> 
> Message: 1
> Date: Wed, 10 Jun 2020 10:46:16 +0200
> From: Roman Haefeli <reduzent at gmail.com <mailto:reduzent at gmail.com>>
> To: pd-dev <pd-dev at lists.iem.at <mailto:pd-dev at lists.iem.at>>
> Subject: [PD-dev] How to create an unsigned Pd.app?
> Message-ID: <a29f644f7d58e842bf91e05bb7909bb136346698.camel at gmail.com <mailto:a29f644f7d58e842bf91e05bb7909bb136346698.camel at gmail.com>>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi all
> 
> I only loosely followed the discussion about how apps for upcoming
> macOS versions need to be signed and notarized to run without warnings.
> 
> It seems the official builds for macOS distributed by Miller are
> signed. Also, when I do 'make app' I seem to get a signed Pd.app. Is
> there an easy way to build an unsigned Pd.app?

<gripe>It was hard enough to test & fix this, of course someone *doesn't* want it to be done. :P</gripe>

If you want to experiment, just comment the code sign section at the end of mac/osx-app.sh. This will disable adhoc signing and notarization.

But...You *have* to sign it with *something* for 10.15 or it will be even worse: loading every older external will be blocked and have to be manually loaded.

> I got complaints from people that installing netpd is hard and
> convoluted. I am now trying to build a netpd.app based on Pd.app that
> includes netpd and externals. I got it working so far, but when it is
> downloaded through a browser, it triggers a pop up saying "This app is
> damaged and cannot be opened" (translated from German). I can remove
> the com.apple.quarantine attribute with:
> 
> xattr -d com.apple.quarantine netpd-2.2.app
> 
> and then it runs fine, but having to use the terminal to make it work
> defeats the purpose of the whole exercise.

As you noted, Miller's Pd.app is now signed. It's just a fake adhoc signing (certificate name "-") which doesn't require an account or actual signing certificate.

You could essentially copy all of your netpd files into a copy of Pd.app, then re-sign everything yourself. That should at least get you to the same point as Miller's original download from a user perspective, ie. Right-click + Open, then good after that. You may need to sign some deeper stuff like frameworks manually before signing the whole bundle. This is what we needed to add to sign the Tcl & Tk frameworks to solve the latest issue. Again, look at the end of mac/osx-app.sh.

> I am actually only assuming the "damaged" pop-up is caused by a
> signature that I render invalid by manipulating it. Maybe I do
> something wrong that is totally unrelated. The signature thing just
> seemed the most likely reason.

"Damaged" is use whenever there is an issue with an app bundle, be it a missing/unreadable Info.plist, incorrect dir layout, or security issue. Use codesign to print out the existing signing info (I forget the codesign args, it's searchable).

--------
Dan Wilcox
@danomatika <http://twitter.com/danomatika>
danomatika.com <http://danomatika.com/>
robotcowboy.com <http://robotcowboy.com/>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20200610/ccd5dd3b/attachment-0001.html>

More information about the Pd-dev mailing list