You are right, Bernhard, that it's weird. I found an issue where I can reproducibly segfault Apple's codesign!
Ian, maybe hold off on anything drastic re symlinks until I do some more experimentation. It's possible the question was relayed incorrectly at WWDC and our setup could work fine... Adam On Mon, Feb 3, 2020, 10:00 AM Adam Wolf <adamw...@feelslikeburning.com> wrote: > Alright folks, based on this conversation I have at least one or two more > tests to do regarding symlinks. > > Second, I'll do some investigating to see what Apple has changed with > notarization today. If we see users having issues, we can assure them that > we're working on it. > > Third, I'll update the kicad-macos-builder issue re ngspice bundling so > Holger can take a look. > > I'll send Holger an email offlist, and expect an update on list in about a > week. > > Thanks everyone! I want to be able to say this stuff is all handled > before KiCon 2020 :) > > Adam Wolf > > > > > On Mon, Feb 3, 2020 at 9:52 AM Adam Wolf <adamw...@feelslikeburning.com> > wrote: > > > > I think `kicad --eeschema` would fix this part of the > > notarization/signing issue, Ian. > > > > I share Bernhard's concern about letting it work from the GUI too. > > > > I wish I knew Apple's long term plans here. Can we continue to work > > on signing and notarization as a low priority thing, or is the next > > version of MacOS going to block us from running at all? > > > > > > On Mon, Feb 3, 2020 at 9:27 AM Bernhard Stegmaier > > <stegma...@sw-systems.de> wrote: > > > > > > Theoretically yes, I guess. > > > From cmdline it probably would solve the problem and the links > together with those standalone-apps could be removed. > > > > > > But, from a non-cmdline user perspective: > > > Is there a way to “wrap” (?) this call to main kicad.app with some > parameter into a nice icon that just looks like a “normal” pcbnew/… app? > > > > > > > > > Regards, > > > Bernhard > > > > > > On 3. Feb 2020, at 15:51, Ian McInerney <ian.s.mciner...@ieee.org> > wrote: > > > > > > Adam (et al.), > > > > > > If you didn't have to package the single top executable (e.g. > eeschema, pcbnew) would this allow you to remove the symlinks? We have been > discussing adding command line flags to the main kicad executable to launch > the various frames as standalone (e.g. `kicad --eeschema` would launch a > standalone eeschema instance instead of the manager frame), so then we > wouldn't have to actually have the single top executables for those anymore. > > > > > > Would that fix your issue? > > > > > > Thanks, > > > -Ian > > > > > > On Mon, Feb 3, 2020 at 2:12 PM Bernhard Stegmaier < > stegma...@sw-systems.de> wrote: > > >> > > >> Hi Adam, > > >> > > >> I am also no fan of the symlinks, but having a different approach will > > >> be probably some work. > > >> > > >> > I had someone ask if what we do would work during WWDC and I was > told > > >> > it would not work. I consistently get "the signature is invalid" > when > > >> > signing while we have symlinks, and when I remove the symlinks and > > >> > just sign KiCad.app this error goes away. > > >> > > >> I don't doubt that the symlinks in the DMG don't work. > > >> What you explained is exactly what I had in mind: > > >> (1) Sign *only* kicad.app as is. No complete DMG with symlinks or > > >> whatever. > > >> (2) Create DMG with previously signed kicad.app and symlinks, > libraries > > >> and whatever you put into. Don't try to notarize this DMG, DMG is just > > >> a container. > > >> > > >> Doesn't that work? > > >> kicad.app is signed and the DMG should just acts as some kind of zip > > >> file then... ? > > >> > > >> If the problem is putting the signed kicad.app into a (unsigned) DMG, > > >> maybe just distributing via .zip would be also a viable way meanwhile? > > >> Many other applications also do this... > > >> > > >> > > >> Regards, > > >> Bernhard > > >> > > >> Am 3.2.2020 14:46, schrieb Adam Wolf: > > >> > Bernhard, > > >> > > > >> > I have no personal vendetta against the symlinks. > > >> > > > >> > I had someone ask if what we do would work during WWDC and I was > told > > >> > it would not work. I consistently get "the signature is invalid" > when > > >> > signing while we have symlinks, and when I remove the symlinks and > > >> > just sign KiCad.app this error goes away. > > >> > > > >> > I am not sure if Apple gives themselves special entitlements that > mere > > >> > mortals don't get. I'm not sure if I'm just not able to get it to > > >> > work. > > >> > > > >> > Nothing I have done so far relies on the symlinks going away, so if > > >> > you think you can make it work, please let me know. > > >> > > > >> > My personal suggestion for working around the symlinks issue was not > > >> > to just copy things, but rather just have a single KiCad.app that > > >> > would open itself in different ways of given a different type of > file, > > >> > but others on the bug tracker preferred trying to copy things first. > > >> > > > >> > Frankly, it's exhausting spending all this time on things that users > > >> > don't see, when there are so many interesting fun things we could be > > >> > working on instead. > > >> > > > >> > In terms of what I am signing and notarizing, I have tried signing > and > > >> > notarizing the app, the dmg, all the apps, basically every > > >> > combination. Apple's rules are extremely fickle here, and you could > > >> > even notarize unsigned things. They explicitly say the rules about > > >> > what you can notarize are hidden from developers! > > >> > > > >> > Adam > > >> > > > >> > On Mon, Feb 3, 2020, 1:08 AM Bernhard Stegmaier > > >> > <stegma...@sw-systems.de> wrote: > > >> > > > >> >> Hi Adam, > > >> >> > > >> >> I still don’t get it: > > >> >>> Our current > > >> >>> strategy of symlinking into the kicad.app bundle does not work > > >> >> with > > >> >>> macOS signing. > > >> >> > > >> >> Xcode has e.g. Instruments application in > > >> >> Xcode.app/Contents/Applications/Instruments.app > > >> >> If I symlink it (for example) to > > >> >> /Applications/Instruments.app > > >> >> It runs without any complaints when started via the symlink. > > >> >> > > >> >> What do you notarize? > > >> >> The overall dmg with the symlink? > > >> >> Have you already tried to only notarize kicad.app (no dmg, no > > >> >> symlinks) and put it into the dmg with symlinks afterwards? > > >> >> Another quick fix could be some script that can be run to create > the > > >> >> symlinks on user machine? > > >> >> > > >> >> A simple copy of the apps won’t work. > > >> >> You need to change everything wrt shared libraries in KiCad code > and > > >> >> cmake script. > > >> >> > > >> >> In the end, you will duplicate all libraries and support stuff. > > >> >> Probably not a big deal for eeschema and the other small apps, but > I > > >> >> guess for pcbnew. > > >> >> Means duplicating all the python, nags-ice, etc. stuff. > > >> >> And also, all stuff like templates, scripts, etc. > > >> >> Users shouldn’t fiddle around in the .app, but could get really > > >> >> messy if they now put (template, python, spice?) stuff in kicad.app > > >> >> or pcbnew.app and then something doesn’t work in one or the > > >> >> other... > > >> >> > > >> >> Regards, > > >> >> Bernhard > > >> >> > > >> >>> On 3. Feb 2020, at 02:00, Adam Wolf > > >> >> <adamw...@feelslikeburning.com> wrote: > > >> >>> > > >> >>> Hi folks! > > >> >>> > > >> >>> Apple is changing how the lack of notarization looks like to users > > >> >> on > > >> >>> Catalina starting tomorrow. It is not clear what will happen when > > >> >>> folks download new versions of KiCad after tonight. > > >> >>> > > >> >>> For the past two months I've been working hard--I've got a tech > > >> >> demo > > >> >>> locally here that has signatures and notarization on macOS, but > > >> >> it's > > >> >>> not ready for primetime. For instance, I have removed the other > > >> >> .apps > > >> >>> and just have kicad.app. There's changes I made to kicad that > > >> >>> probably belong in kicad-mac-builder--and, well, let's just say > > >> >> it's a > > >> >>> tech demo :) > > >> >>> > > >> >>> The main things that remain are: > > >> >>> 1) Figure out a good solution for the symlinked .apps. Our > > >> >> current > > >> >>> strategy of symlinking into the kicad.app bundle does not work > > >> >> with > > >> >>> macOS signing. I think the current contender is to copy instead > > >> >> of > > >> >>> symlink. I am not sure how much extra space that will take up but > > >> >>> it's a good try. This is definitely something I can do, but since > > >> >>> it's something that can be done on its own, it's a prime contender > > >> >> for > > >> >>> someone looking to help out. > > >> >>> > > >> >>> 2) Another issue is that there are strict rules about where in the > > >> >>> bundle code, data, and executable non-Mach-O files live. For > > >> >>> instance, one of the signing blockers is ngspice, because it > > >> >> mingles > > >> >>> scripts and Mach-O binaries and then we put them in > > >> >> Contents/Plugins. > > >> >>> For more details, see > > >> >>> > > >> >> > > >> > > https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG201 > . > > >> >>> The big change for KiCad itself is where the Python scripts are > > >> >>> stored--I've fixed this in my branch, but now I have to go through > > >> >> and > > >> >>> audit and fixup our partner packages, like OCE/OCC and ngspice. > > >> >> If > > >> >>> you want to help with this, it's going to be a big job but I'm > > >> >> willing > > >> >>> to put in the time to teach if you're willing to put in the time > > >> >> to > > >> >>> learn :) > > >> >>> > > >> >>> I was really hoping I could get this done before Apple turned up > > >> >> the > > >> >>> enforcement on notarization, but that's going to happen. After > > >> >>> tomorrow, it'll be clearer what Apple is doing. There might be > > >> >> some > > >> >>> quick changes to make that will improve things for our users > > >> >> without > > >> >>> getting all of this done. > > >> >>> > > >> >>> Adam Wolf > > >> >>> > > >> >>> _______________________________________________ > > >> >>> Mailing list: https://launchpad.net/~kicad-developers > > >> >>> Post to : kicad-developers@lists.launchpad.net > > >> >>> Unsubscribe : https://launchpad.net/~kicad-developers > > >> >>> More help : https://help.launchpad.net/ListHelp > > >> > > >> _______________________________________________ > > >> Mailing list: https://launchpad.net/~kicad-developers > > >> Post to : kicad-developers@lists.launchpad.net > > >> Unsubscribe : https://launchpad.net/~kicad-developers > > >> More help : https://help.launchpad.net/ListHelp > > > > > > >
_______________________________________________ Mailing list: https://launchpad.net/~kicad-developers Post to : kicad-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~kicad-developers More help : https://help.launchpad.net/ListHelp
