Title
#macos
s

straffin

02/11/2020, 9:44 PM
We're packaging the osquery installer along with our own flags file and daemons in a flat package for easy manual distribution. However, with Catalina requiring notarization as of February 1, our package now won't install. We attempted notarization, but it fails on osqueryd "not hav[ing] the hardened runtime enabled." Are we going to have to build osquery ourselves to get around this, or should we expect the downloadable installers to have the hardened runtime enabled?
zwass

zwass

02/11/2020, 11:02 PM
@seph do you know anything about this?
s

seph

02/11/2020, 11:32 PM
Apple changed the notarizarion requirements. Henceforth things require more options. Even though you're using a notarized osquery, your packaging might tickle that.
11:33 PM
You probably don't need to build osquery, you probably need to resign it using the current requirements.
11:34 PM
Yes, I expect whatever we release will be notarized.
12:33 AM
Examining the 4.1.2 package, yes, the osqueryd binary is notarized. I don’t know what your process is. I would not have expected the notarization to be stripped. If you have command line driven steps, I can look over them. (But if it’s in xcode, I can’t deconstruct it)
12:35 AM
If you do need to re-notarize, you probably also need to re-sign. You should not need to rebuild.
codesign --force -s "${CODESIGN_IDENTITY}" -v --options runtime --timestamp osqueryd
will codesign it with the required options. You can then submit that for notarization, by zipping it and uploading. Something like:
zip -r o.zip osqueryd
        xcrun altool \
          --username "${NOTARIZE_APPLE_ID}" \
          --password @env:NOTARIZE_APP_PASSWD \
          --asc-provider "${NOTARIZE_ACCOUNT_ID}" \
          --notarize-app --file o.zip \
          --primary-bundle-id io.osquery.osquery
(bundle id doesn’t really matter here)
12:36 AM
I did just run through that process, and was able to re-notarize the existing build:
dover:bin seph$ spctl -a -vvv -t install osqueryd 
osqueryd: accepted
source=Notarized Developer ID
origin=Developer ID Application: Kolide Inc (YZ3EM74M78)
12:36 AM
I’ll make sure future releases get notarized, yes.
s

straffin

02/12/2020, 4:52 PM
Thanks for the info, @seph!
4:53 PM
(BTW, I'm perfectly willing to accept that the error here is 100% mine. The info you've given will help a great deal in figuring this out. Thanks again!)
s

seph

02/12/2020, 4:54 PM
Happy to help. And curious what you learn
4:55 PM
At kolide, we take the osquery binary and package it with our agent. And while I could resign, I don't.
s

straffin

02/12/2020, 5:11 PM
re😒teps - I'm using productsign to sign a pkg that installs your pkg along with .flags, .crt, secret, and LaunchDaemon plist. (No other executables aside from the osquery.pkg and its contents). There's no "runtime" option on productsign.
s

seph

02/12/2020, 6:49 PM
Hrm. I know I submit the osqueryd binary for notarization, but I don’t think I ever submit the pkg.
6:49 PM
For what it’s worth, at Kolide I extract the underlying
osqueryd
binary, and re-package it into a kolide pkg
s

straffin

02/17/2020, 9:22 PM
Well, as part of a test, I just submitted the osquery-4.1.2.pkg. 🙂 It was approved. 😄
9:24 PM
Now that the underlying pkg is notarized, I wonder if my packages that contain it will be approved? /me goes off to test that now...
s

seph

02/17/2020, 9:24 PM
Could be? That would even sorta made sense. I only every package the binaries.
s

straffin

02/17/2020, 9:26 PM
Looking into that more. Was trying to keep the original (kolide) pkg as untouched as possible. Stripping out the contents and stuffing them onto my own pkg is a lot of touching. 🙂 We're also looking to re-pkg other apps like this that actually have scripts that we'd not want to have to deal with...
9:27 PM
Nope... my pkg is still invalid even tho the contents are... hrm...
9:27 PM
Thanks tho! This is officially outside your realm, so I'll bother someone else. 🙂
s

seph

02/17/2020, 9:28 PM
If you're looking for osquery code signing it's probably stilll me. 😃
9:28 PM
It's a holiday here though, so I might vanish.
9:29 PM
Does the notarizetion error hint at stuff? It's usually pretty clear.
s

straffin

02/17/2020, 9:34 PM
Hmm... interesting. Even though your 4.1.2 pkg was "Accepted", it contains a warning: "The executable does not have the hardened runtime enabled."
s

seph

02/17/2020, 9:36 PM
Probably because it predates that requirement. The reqs changed in February
s

straffin

02/17/2020, 9:37 PM
But mine that contains yours is "Invalid", even tho the message is the same...
"path": "osq-test-signed.pkg/payload.pkg Contents/Payload/private/var/tmp/osquery-4.1.2.pkg/osquery-4.1.2.pkg Contents/Payload/usr/local/bin/osqueryd",
"message": "The executable does not have the hardened runtime enabled."
9:38 PM
Ah... ok. Hmmm...
s

seph

02/17/2020, 9:38 PM
The l Ready for distribution" is interesting
s

straffin

02/17/2020, 9:39 PM
How so? (I don't disagree, I just don't understand)
s

seph

02/17/2020, 9:39 PM
You could resign osquery, but that would mean unpacking everything
9:41 PM
(Note that I work for Kolide, but also volunteer for osquery. I made kolides package, and have involvement in the osquery ones. But osquery.pkg isn't a kolide package
s

straffin

02/17/2020, 9:41 PM
(Understood. Thanks for being so helpful.)
s

seph

02/17/2020, 9:41 PM
I'm happy to help! (I'll be at a laptop tomorrow)
s

straffin

02/17/2020, 9:42 PM
👍
6:02 PM
So, back at it again today. Moved all the osquery pkg files into a new pkg and added our LaunchDaemon, cert, secret, and flags file, along with a postinstall script to kickstart the service. Signed, submitted, failed.
"path": "Duke_University_osquery_signed.pkg/Duke_University_osquery.pkg Contents/Payload/usr/local/bin/osqueryd",
      "message": "The executable does not have the hardened runtime enabled."
6:04 PM
Hrm...
s

seph

02/18/2020, 6:05 PM
I’d recommend resigning osqueryd with appropriate flags
s

straffin

02/18/2020, 6:07 PM
That's what I was gonna try next. 🙂 Thanks for the confirmation that it might be a good idea.
9:24 PM
Looks like that will work once I get the proper cert from our Apple Developer Account Manager. I just have "Developer ID Installer" right now, need "Developer ID Application" to sign the app. Latest effort failed but only with a "wrong cert" error.
s

seph

02/18/2020, 9:28 PM
I'll sign a 4.2.0 if you want a prerelease 😃
s

straffin

02/19/2020, 4:11 PM
Ooo! That would be great!
4:11 PM
At least to try my pkg'ing theories.
s

seph

02/19/2020, 4:12 PM
I fib. I think it’s somewhat gnarly for me to re-sign one. There’s a bunch of unpack/repack steps. OTOH, I did want to look at those tools today