https://github.com/osquery/osquery logo
Join Slack
Powered by
We're packaging the osquery installer along with o...
# macos
s
We're packaging the osquery installer along with our own flags file and daemons in a flat package for easy manual distribution. However, with Catalina requiring notarization as of February 1, our package now won't install. We attempted notarization, but it fails on osqueryd "not hav[ing] the hardened runtime enabled." Are we going to have to build osquery ourselves to get around this, or should we expect the downloadable installers to have the hardened runtime enabled?
z
@seph do you know anything about this?
s
Apple changed the notarizarion requirements. Henceforth things require more options. Even though you're using a notarized osquery, your packaging might tickle that.
👍 1
You probably don't need to build osquery, you probably need to resign it using the current requirements.
Yes, I expect whatever we release will be notarized.
Examining the 4.1.2 package, yes, the osqueryd binary is notarized. I don’t know what your process is. I would not have expected the notarization to be stripped. If you have command line driven steps, I can look over them. (But if it’s in xcode, I can’t deconstruct it)
If you do need to re-notarize, you probably also need to re-sign. You should not need to rebuild. 
codesign --force -s "${CODESIGN_IDENTITY}" -v --options runtime --timestamp osqueryd
will codesign it with the required options. You can then submit that for notarization, by zipping it and uploading. Something like:
Copy code
zip -r o.zip osqueryd
        xcrun altool \
          --username "${NOTARIZE_APPLE_ID}" \
          --password @env:NOTARIZE_APP_PASSWD \
          --asc-provider "${NOTARIZE_ACCOUNT_ID}" \
          --notarize-app --file o.zip \
          --primary-bundle-id io.osquery.osquery
(bundle id doesn’t really matter here)
👍 2
❤️ 1
I did just run through that process, and was able to re-notarize the existing build:
Copy code
dover:bin seph$ spctl -a -vvv -t install osqueryd 
osqueryd: accepted
source=Notarized Developer ID
origin=Developer ID Application: Kolide Inc (YZ3EM74M78)
I’ll make sure future releases get notarized, yes.
s
Thanks for the info, @seph!
(BTW, I'm perfectly willing to accept that the error here is 100% mine. The info you've given will help a great deal in figuring this out. Thanks again!)
s
Happy to help. And curious what you learn
At kolide, we take the osquery binary and package it with our agent. And while I could resign, I don't.
s
re:steps - I'm using productsign to sign a pkg that installs your pkg along with .flags, .crt, secret, and LaunchDaemon plist. (No other executables aside from the osquery.pkg and its contents). There's no "runtime" option on productsign.
s
Hrm. I know I submit the osqueryd binary for notarization, but I don’t think I ever submit the pkg.
For what it’s worth, at Kolide I extract the underlying 
osqueryd
binary, and re-package it into a kolide pkg
s
Well, as part of a test, I just submitted the osquery-4.1.2.pkg. 🙂 It was approved. 😄
Now that the underlying pkg is notarized, I wonder if my packages that contain it will be approved? /me goes off to test that now...
s
Could be? That would even sorta made sense. I only every package the binaries.
s
Looking into that more. Was trying to keep the original (kolide) pkg as untouched as possible. Stripping out the contents and stuffing them onto my own pkg is a lot of touching. 🙂 We're also looking to re-pkg other apps like this that actually have scripts that we'd not want to have to deal with...
Nope... my pkg is still invalid even tho the contents are... hrm...
Thanks tho! This is officially outside your realm, so I'll bother someone else. 🙂
s
If you're looking for osquery code signing it's probably stilll me. :)
It's a holiday here though, so I might vanish.
Does the notarizetion error hint at stuff? It's usually pretty clear.
s
Hmm... interesting. Even though your 4.1.2 pkg was "Accepted", it contains a warning: "The executable does not have the hardened runtime enabled."
s
Probably because it predates that requirement. The reqs changed in February
s
But mine that contains yours is "Invalid", even tho the message is the same...
Copy code
"path": "osq-test-signed.pkg/payload.pkg Contents/Payload/private/var/tmp/osquery-4.1.2.pkg/osquery-4.1.2.pkg Contents/Payload/usr/local/bin/osqueryd",
"message": "The executable does not have the hardened runtime enabled."
Ah... ok. Hmmm...
s
The l Ready for distribution" is interesting
s
How so? (I don't disagree, I just don't understand)
s
You could resign osquery, but that would mean unpacking everything
(Note that I work for Kolide, but also volunteer for osquery. I made kolides package, and have involvement in the osquery ones. But osquery.pkg isn't a kolide package
s
(Understood. Thanks for being so helpful.)
s
I'm happy to help! (I'll be at a laptop tomorrow)
s
👍
So, back at it again today. Moved all the osquery pkg files into a new pkg and added our LaunchDaemon, cert, secret, and flags file, along with a postinstall script to kickstart the service. Signed, submitted, failed.
Copy code
"path": "Duke_University_osquery_signed.pkg/Duke_University_osquery.pkg Contents/Payload/usr/local/bin/osqueryd",
      "message": "The executable does not have the hardened runtime enabled."
Hrm...
s
I’d recommend resigning osqueryd with appropriate flags
s
That's what I was gonna try next. 🙂 Thanks for the confirmation that it might be a good idea.
Looks like that will work once I get the proper cert from our Apple Developer Account Manager. I just have "Developer ID Installer" right now, need "Developer ID Application" to sign the app. Latest effort failed but only with a "wrong cert" error.
s
I'll sign a 4.2.0 if you want a prerelease :)
s
Ooo! That would be great!
At least to try my pkg'ing theories.
s
I fib. I think it’s somewhat gnarly for me to re-sign one. There’s a bunch of unpack/repack steps. OTOH, I did want to look at those tools today
4 Views
Open in Slack
PreviousNext
Powered by