https://github.com/osquery/osquery logo
Join Slack
Powered by
Im having an issue when attempting to sign and not...
# fleet
a
Im having an issue when attempting to sign and notarize a mac fleetdm/orbit package. The signing goes OK, but when submitting for notarization, I get the error 
The binary is not signed with a valid Developer ID certificate
for the 
orbit.pkg
. Has anyone else run into this?
k
Can you run 
security find-identity -v
to verify the existence of the local installer certificate?
a
yes. I did that, confirmed I have the correct one
I generated without notarization, and the cert is valid on the installer
I think the problem is that the internal orbit package or binary is not signed
r
how are you signing the package? are you using 
fleetctl
's flags 
--notarize
and 
--sign-identity
? or other method?
a
with fleetctl
using those flags
r
thanks! are you able to share the exact command you're using with any sensitive information redacted?
a
Copy code
AC_USERNAME=$AC_USERNAME AC_PASSWORD=$AC_PASSWORD ./fleetctl package --type=pkg  --fleet-url=<https://my_fleetserver.com> --enroll-secret=secret --sign-identity ID_FOR_DEVELOPER_ID_INSTALLER_CERT --orbit-channel=1.5.0 --verbose --notarize
Notarization log from apple:
Copy code
{
  "logFormatVersion": 1,
  "jobId": "unique-id",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "orbit.pkg",
  "uploadDate": "2023-06-22T20:18:57Z",
  "sha256": "c1413405ebf682767cebf52c0e59c6b514837f21193996008d8d1eb478ca8e44",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "orbit.pkg",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "<https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721>",
      "architecture": null
    }
  ]
}
This happened when I used the latest orbit channel as well
r
what is weird to me, and the reason I asked for the full command, is that the file 
fleetctl
generates is called 
fleet-osquery.pkg
, not 
orbit.pkg
🤔 , so it makes me wonder if something else is going on could you please share your 
fleetctl --version
?
a
latest
just downloaded this morning
Thats what is weird to me as well.... I tried doing it manually, and in tht case, it said that 
fleet-osquery.pkg
is invalid, not 
orbit.pkg
can you give it a shot on your end? im wondering if there is an issue with my machine
r
yeah, absolutely. Give me a few mins
a
whats weird is that I copied the orbit bin to another directory while the pkg was being built, and that bin is signed with a valid cert from fleet
I dont know why the apple notarization system doesnt like it
r
sorry for the delay! I was able to sign and notarize a package without problems 🤔 . I also figured out the mysterious 
orbit.pkg
file, it's a temporary file we use, later it gets renamed to 
fleet-osquery.pkg
, so nothing is wrong there.
Copy code
~/fleet $ fleetctl package --type=pkg --fleet-desktop --fleet-url=<https://dogfood.fleetdm.com> --enroll-secret=REDACTED --sign-identity REDACTED --notarize
Generating your osquery installer...
    Submitting file for notarization...
    Submitted. Request UUID: ce66b4bd-776e-440b-abf7-55e061e2b854
    Waiting for results from Apple. This can take minutes to hours.
    Status: in progress
    Status: success

Success! You generated an osquery installer at /Users/roperzh/fleet/fleet-osquery.pkg

To add this device to Fleet, double-click to open your installer.

To add other devices to Fleet, distribute this installer using Chef, Ansible, Jamf, or Puppet. Learn how: <https://fleetdm.com/docs/using-fleet/adding-hosts>
some thoughts: 1. this is a long shot, but I had to go to the apple developer portal and accept the new terms and conditions, could you double check if you need to do the same? 2. do you know the app Suspicious Package? can you generate a package without 
--notarize
and open it in the app? do you see any warnings? 3. could you try manually signing and notarizing the package? a. run the 
fleetctl
command as usual but without the 
--notarize
and 
--sign-identity
flags b. sign the package with: 
productsign --sign "Developer ID Installer: $DEVID_INFO" fleet-osquery.pkg fleet-osquery-signed.pkg
c. notarize with: 
xcrun altool --notarize-app --username $AC_USERNAME --password $AC_PASSWORD --file fleet-osquery-signed.pkg --primary-bundle-id com.fleetdm.orbit
a
Ive tried doing it manually, that didnt work
what is suspicious package?
r
gotcha, would that suggest that maybe it's a problem with your developer ID? suspicious package is the app I linked above, it gives you information about 
pkg
files (screenshot attached of what I see for the 
fleet-osquery.pkg
file I just generated)
a
suspicious package comes up clean. says its marked as trusted
how old is the cert you used to sign the pkg?
r
do you want to generate a signed package with a random enroll secret/fleet url and send it over? I can try to notarize it myself and see what happens edit: added signed
how old is the cert you used to sign the pkg?
let me check
a
im wondering if mine is too new, as I generated it few hours ago, and the notarization service doesnt know about it yet? its a bit of a long shot
r
oh yeah, mine has a few months
but yeah, that sounds like a long shot 🤔
a
Id prefer not to send over the signed package, but I really appreciate the offer, and all your help so far
r
sounds good! let me know if you figure out the problem, sounds like a problem with Apple so I don't know if there's anything else we can do, but I'm happy to help if you need anything else
a
did you have to specifically trust your installer certificate?
r
I don't think so, I added the cert to keychain as instructed by Apple, and then provided the variables as described above a dump question perhaps, but I know that the certificate has to be a "Developer ID Installer" cert (the developer portal allows you to download other types of certs). Have you double checked that? when I run 
security find-identity -v
mine says:
Copy code
1) REDACTED "Developer ID Installer: Roberto Dip (UK9WG435C6)"
I'm asking this because there are others with very similar names like "Developer ID Application"
a
Yup, I made sure to get that one
Screenshot 2023-06-22 at 7.15.12 PM.png
13 Views
Open in Slack
PreviousNext
Powered by