Bug 84352

Summary: Code signing broken by OSX 10.9.5
Product: LibreOffice Reporter: Matthew Francis <fdbugs>
Component: LibreofficeAssignee: Not Assigned <libreoffice-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: highest CC: arneandmarj, cloph, fdbugs, freedesktop.org, iplaw67, nthiebaud, qubit, ryanmfuchs, sebastiaanlokhorst, tml, vstuart.foote
Version: unspecified   
Hardware: Other   
OS: Mac OS X (All)   
See Also: https://bugs.freedesktop.org/show_bug.cgi?id=81916
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 75025    

Description Matthew Francis 2014-09-26 05:49:46 UTC 
Since installing OSX 10.9.5, all existing release LibreOffice builds fail Gatekeeper verification (i.e. won't run unless security is relaxed to "Allow apps downloaded from: Anywhere" in System Preferences – Security & Privacy)

A version 2 signature seems to now be a hard requirement


(e.g. for 4.3.2.2:)

$ spctl -a -t exec -vv /Applications/LibreOffice.app/
/Applications/LibreOffice.app/: rejected
source=obsolete resource envelope
origin=Developer ID Application: The Document Foundation

$ codesign -dvvv /Applications/LibreOffice.app/
Executable=/Applications/LibreOffice.app/Contents/MacOS/soffice
Identifier=org.libreoffice.script.LibreOffice
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=203 flags=0x0(none) hashes=3+3 location=embedded
Hash type=sha1 size=20
CDHash=76025406daa78d5fdd8b54881363b1ec08e770b7
Signature size=8531
Authority=Developer ID Application: The Document Foundation
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=19 Sep 2014 02:43:48
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources version=1 rules=5 files=0
Internal requirements count=1 size=196
Comment 1 Alex Thurgood 2014-09-26 10:37:52 UTC 
Can not confirm wth existing installations of LO 4242, or 4142. My Gatekeeper settings are MacAppStore and identified developers
Comment 2 Alex Thurgood 2014-09-26 10:40:01 UTC 
When I first launch eac app, I have to open the Applications folder, RMB to open, then confirm - perhaps that is what you mean in effect ? But I only have to do this once.
Comment 3 Alex Thurgood 2014-09-26 10:49:00 UTC 
Also works for me with 4312
Comment 4 Alex Thurgood 2014-09-26 11:13:06 UTC 
An attempted launch after update from 4312 to 432 fails with "unidentified developer message"

Confirming, but workaround still valid
Comment 5 Matthew Francis 2014-09-29 11:16:00 UTC 
*** Bug 84457 has been marked as a duplicate of this bug. ***
Comment 6 V Stuart Foote 2014-10-01 14:46:46 UTC 
Given OP and Alex T's comments moving this over to bug 75025 as a mab4.3 item.
Comment 7 V Stuart Foote 2014-10-01 18:58:22 UTC 
@Robinson, Cloph, *,

This looks to need attention for the release engineering workflow for the OSX builds:

https://developer.apple.com/library/prerelease/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG205
Comment 8 Norbert Thiebaud 2014-10-10 13:07:16 UTC 
So....

Apple introduced a v2 codesigning, that came with additional rules and restrictions wrt to the Libreoffice.app/ layout

These changes were done on master, the future 4.4 but are not trivial and carry a real risk of causing hard failure, since we had to move the locations of some very basic component, and it is quite possible that in some obscure corner of the product something is making wrong assumption as to where these things are.

So This kind of patch is not a good candidate for a .4 release of a stable branch.

On the other hand.. the lack of v2 signature is annoying but fairly easily worked-around. and the annoyance is a 1-time issue per new install. (and no you do not need to set permanently the 'allow app downloaded from Anywhere' in gatekeeper, all that is needed is, the first time you run Libreoffice to lauch it with right-click on the icon and select Open... the confirm you want to open it, when gatekeeper whine about signature)


So at this point we will let libreoffice-4-3 as is wrt to signature and the future version 4.4 will support v2 signature.
Comment 9 Adolfo Jayme 2014-12-21 17:41:56 UTC 
*** Bug 87546 has been marked as a duplicate of this bug. ***
Comment 10 Julien Nabet 2015-01-02 21:25:03 UTC 
*** Bug 87979 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.