M1 code signing...

Mac OSX specific forum
Rinzwind
Enthusiast
Enthusiast
Posts: 636
Joined: Wed Mar 11, 2009 4:06 pm
Location: NL

M1 code signing...

Post by Rinzwind »

Copy pasted from https://wiki.lazarus.freepascal.org/Cod ... _for_macOS etc

...
Big Sur on Apple M1 ARM64 processors
And then Apple changed the game.

When Big Sur is running on an Apple M1 (ARM64) processor, all native ARM64 code must be signed or the operating system prevents its execution; and this new Gatekeeper requirement cannot be bypassed.

Intel executables being run under Big Sur on an Apple M1 processor via Rosetta 2 can still be run even though they are unsigned using the control-click or right-click method to bypass Gatekeeper.

For more details, see: https://wiki.lazarus.freepascal.org/mac ... ntel_vs_M1
...
Intel code running under Rosetta 2 - this does not need to be signed for practical reasons (ie the code is translated into aarch64 code for the M1 and so any signature for the Intel code would of course be invalid when applied to the aarch64 code).
Native M1 aarch64 code will be blocked from execution unless a valid signature is attached. This signature can be as simple as an ad hoc code signature that doesn’t bear any actual identity from the secret half of an asymmetric key pair (it’s simply an unauthenticated measurement of the binary). The reason for this requirement is not to enable conventional code signature checks, but so that the executable code has a cdhash (code directory hash), which is used when macOS checks code before running it to verify that the contents of a binary have not changed since being code signed. If you don’t have an Apple developer signing certificate, an ad-hoc certificate generated on your Mac is quite sufficient. For those without developer accounts, Xcode now defaults to applying ad-hoc signing to its projects. As there is no requirement for an identity, and therefore any certificate to prove that identity, anyone can sign an application to run locally.
...
If you deploy:

1) an unsigned binary to your endusers, they will NOT be able to execute the binary on an M1 Apple Silicon computer. Note, however, that if the binary was linked on an M1 Apple Silicon computer, the macOS linker will have ad hoc signed the binary for you.

2) an ad hoc signed binary to your endusers, they will be able to execute the binaries on an M1 Apple Silicon computer. This is because these new signatures are not bound to the specific machine that was used to build the executable; they can be verified on any other system and will be sufficient to comply with the new default code signing requirement on Macs with Apple silicon. However, given that these signatures do not bear any valid identity, binaries signed this way cannot pass Gatekeeper.

For manual ad hoc code signing of an application bundle (note that a dash is using for the signing identity after the -s argument):

codesign --force --deep -s - MyApp.app


Gatekeeper keeps nagging users or only once? Right click to bypass not possible anymore is what I understand from the above..