8 Replies Latest reply on Aug 25, 2014 6:55 AM by TSGal

    Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t

    intex

      Summary

      Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t

      Product

      FileMaker Pro

      Version

      13 latest

      Operating system version

      Mavericks latest

      Description of the issue

      Read this

      http://www.tuaw.com/2014/08/18/security-breach-may-be-reason-for-gatekeeper-app-signing-changes/
      http://www.tuaw.com/2014/08/04/apples-changes-to-app-signing-could-leave-some-apps-blocked-by/

      Doesn´t seem to be a big problem, but it is, since FileMaker runtimes can only be successfully signed under older systems than 10.9, but these new certificates only work on 10.9.

      See here for more background:
      https://fmdev.filemaker.com/message/81907#81907
      https://fmdev.filemaker.com/message/127990#127990
      https://fmdev.filemaker.com/message/129644#129644


      Till now we had one computer with 10.7 just for signing our FM runtime based apps. Obviously this will be no solution anymore.

      And now ? FileMaker Inc - HELP !!!

      Expected result

      possibility to successfully codesign a FM runtime

      Actual result

      till now we could sign the runtimes using 10.7, but this will be no longer possible as it seems.

      Workaround

      NONE

        • 1. Re: Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t
          TSGal

               Martin Bohmer:

               Thank you for your post.

               Our Development and Testing departments are aware of this issue.

               FileMaker does not codesign Runtime applications.  Mac OS X 10.9 new security features now looks for code signing of applications, so we leave this to the Runtime developer.

               As mentioned in the middle link above, signing the application under Mac OS X 10.8 and transferring to Mac OS X 10.9 works.

               TSGal
               FileMaker, Inc.

          • 2. Re: Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t
            intex

            "As mentioned in the middle link above, signing the application under Mac OS X 10.8 and transferring to Mac OS X 10.9 works."

                  

            it did so far, but it will not work starting with 10.9.5 !!!!!!!

                  

            And of course not FM is codesigning the runtime, but we have to do it. But it has to be technically possible - in the VERY NEAR future this will not be the case anymore.

            • 3. Re: Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t
              intex

                   this what Apple says about your runtime:

                    

                   "Please include the line below in follow-up emails for this request.

                    

                   Follow-up: 609671789

                    

                   Hi Martin,

                    

                   Thanks for filing the bug report.

                    

                   I looked at the app, and the problem is that the frameworks inside the app bundle aren't structured properly. It looks like all of the symbolic links were stripped from the frameworks at some point.

                    

                   The fact that all of the frameworks are affected leads me to suspect that something about the build process didn't preserve the symlinks. That's where I would look next.

                    

                   As a workaround, you could put the symlinks back:

                    

                   $ cd DBEngine.framework/Versions

                   $ ln -s A Current

                   $ cd ..

                   $ ln -s Versions/Current/DBEngine DBEngine

                   $ ln -s Versions/Current/Resources Resources

                    

                   This allowed me to re-sign DBEngine.framework. Without this fix, I get this error:

                    

                   $ codesign -f -s "Developer ID Application:" -vvvvv INtex\ Hausverwaltung.app/Contents/Frameworks/DBEngine.framework 

                   INtex Hausverwaltung.app/Contents/Frameworks/DBEngine.framework: bundle format unrecognized, invalid, or unsuitable

                    

                   Repeat this process for all of the frameworks in your app, and please let me know (and add to your bug report) if you're able to figure out how the symlinks in the frameworks got deleted.

                    

                   Best regards,

                   -gc

                   ____________

                   Garth Cummings

                   Apple Developer Technical Support"

              • 4. Re: Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t
                codecruncher

                     @TSGal: This is indeed a major issue and should be escalated right away. Signing applications in 10.8 and transferring them to 10.9 is not a solution since any app signed in an OS prior to 10.9.5 will be deemed invalid and will not be recognized by 10.9.5 (or later).  FileMaker 13 runtimes cannot be codesigned in OS X 10.8 or later.

                     I still use FileMaker 12 because I can codesign the runtime in OS 10.6. FileMaker 13 requires OS 10.7 which is the very last OS X that can codesign a FileMaker runtime successfully. The brightest and the best in the FileMaker community cannot sign a FileMaker runtime in 10.9. It is impossible. 

                • 5. Re: Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t
                  codecruncher

                       Upon further research there might be a workaround. The good news is that the power PC code which was causing issues was finally removed in 13.0v3. Christian Schmitz created an entire page on how to code sign a runtime in 10.9 here:

                       http://www.mbsplugins.de/archive/2014-08-22/Code_Signing_FileMaker_Runtime

                       @ Martin Bohmer: It would be great if you can verify if Christian's solution still works in 10.9.5. You will 'simply' need to execute the script steps in the Terminal as laid out by Christian Schmitz from Monkeybread Software.

                  • 6. Re: Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t
                    intex

                         @CodeCruncher

                         Hi,

                         it´s me (INtex Publishing) who asked Christian Schmitz for a solution and paid for it. After having signed and tested 16 different FM based apps I would say it works.

                         Martin

                    • 7. Re: Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t
                      codecruncher

                           @ Martin Bohmer: Ich habe gerade meine FileMaker 12v5 runtime in OS X 10.9.4 mit der sagenhaften Lösung, die sie in Auftrag gegeben haben erfolgreich unterzeichnet. Ich schwebe auf den Wolken und bin ihnen immens dankbar.

                      • 8. Re: Alarm ?! Apps have to be signed newly under 10.9, but FM runtimes can´t
                        TSGal

                             Martin Bohmer:

                             Thank you for the additional information.  I have sent the information from the Apple Developer to Development and Testing for review.

                             TSGal
                             FileMaker, Inc.