Bug 497308

Created attachment 176512 [details]
crash report 2

Sounds like a bad build Just rebuilt and uploaded a new copy see if it works. It have no way of testing these images one unfortunately but they should be able to run as is.

(In reply to michael from comment #2)
> Sounds like a bad build Just rebuilt and uploaded a new copy see if it
> works. It have no way of testing these images one unfortunately but they
> should be able to run as is.

Hi Michael. It shows that the same old "Last modified: 2024-12-11 14:22" for the "kdiff3-1.12.0-macos-arm64.dmg" here https://download.kde.org/stable/kdiff3/?C=M;O=D and it keeps not working.

I get the same message - not sure how to debug a binary

The binaries for mac os and windows are built via craft I suspect the CI maybe creating invalid bundle. Are you able to test the x64 version or rebuild from the 1.12 branch?

The "kdiff3-1.12.0-macos-x86_64.dmg" version gives me the same:
> “kdiff3” is damaged and can’t be opened. You should move it to the Trash.

Thanks going to file a ticket regarding the CI. Not sure if its craft or the CI itself causing this.

Please run the following commands on the *.app you have for KDiff3:
codesign --display --verbose /path/to/KDiff3.app
codesign --verify --verbose --strict --deep /path/to/KDiff3.app
/usr/sbin/spctl -a -t exec -vv /path/to/KDiff3.app

Please note that KDiff3 has not enabled notarization of it's MacOS builds within the KDE CI environment, so you could also try temporarily allowing running non-notarized builds to see if that lets you start KDiff3.

The logs at https://sdk.local-kde.org/-/kdiff3/-/jobs/2384960/artifacts/kde-ci-logs/extragear/kdiff3/kdiff3.log from a recent build indicate that our validation checks passed for signing but failed for notarization so the build at https://invent.kde.org/sdk/kdiff3/-/jobs/2384960/artifacts/file/kde-ci-packages/kdiff3-1.12-1845-macos-clang-arm64.dmg should be fine for ARM based Macs (link valid for the next couple of days only)

codesign --display --verbose /Applications/kdiff3.app
> Executable=/Applications/kdiff3.app/Contents/MacOS/kdiff3
> Identifier=org.kde.KDiff3
> Format=app bundle with Mach-O thin (arm64)
> CodeDirectory v=20400 size=12807 flags=0x2(adhoc) hashes=394+3 location=embedded
> Signature=adhoc
> Info.plist entries=18
> TeamIdentifier=not set
> Sealed Resources version=2 rules=13 files=1
> Internal requirements count=0 size=12

the next command failed:
codesign --verify --verbose --strict --deep /Applications/kdiff3.app
> /Applications/kdiff3.app: invalid signature (code or signature have been modified)
> In architecture: arm64

ChatGPT suggested me to execute this one:
sudo codesign --force --deep --sign - /Applications/kdiff3.app
> /Applications/kdiff3.app: replacing existing signature

codesign --verify --verbose --strict --deep /Applications/kdiff3.app
> /Applications/kdiff3.app: valid on disk
> /Applications/kdiff3.app: satisfies its Designated Requirement

After the steps above, the initial error "kdiff3” is damaged and can’t be opened" disappeared, and I just had to allow the untrusted app to run from the "Privacy and Security" settings of MacOS.

Strange. Can you please try the file I linked to see if that is any different?

I forgot to mention this command I ran with the original dmg file:
/usr/sbin/spctl -a -t exec -vv /Applications/kdiff3.app
> /Applications/kdiff3.app: rejected".

I uninstalled the original kdiff3.app (to be clear, it started working after the actions I described in the previous comment) and installed the one you provided. The new app does not have the "“kdiff3” is damaged and can’t be opened" issue and only has this issue which could be overcome from the "Privacy and Security": https://share.cleanshot.com/rrQdpqWj 
> "kdiff3" Not Opened
> Apple could not verify "kdiff3" is free of malware that may harm your Mac or compromise your privacy.

I executed these commands:

codesign --display --verbose /Applications/kdiff3.app
> Executable=/Applications/kdiff3.app/Contents/MacOS/kdiff3
> Identifier=org.kde.KDiff3
> Format=app bundle with Mach-O thin (arm64)
> CodeDirectory v=20500 size=12826 flags=0x10000(runtime) hashes=394+3 location=embedded
> Signature size=8997
> Timestamp=16 Dec 2024 at 17:58:54
> Info.plist entries=18
> TeamIdentifier=5433B4KXM8
> Runtime Version=14.4.0
> Sealed Resources version=2 rules=13 files=6874
> Internal requirements count=1 size=176

codesign --verify --verbose --strict --deep /Applications/kdiff3.app
> /Applications/kdiff3.app: valid on disk
> /Applications/kdiff3.app: satisfies its Designated Requirement

/usr/sbin/spctl -a -t exec -vv /Applications/kdiff3.app
> /Applications/kdiff3.app: rejected
> source=Unnotarized Developer ID
> origin=Developer ID Application: K Desktop Environment e.V. (5433B4KXM8)

Now, for the funny part. I reinstalled back the Brew version, but I can't get it to work with all the commands above (it worked half an hour ago). I uninstalled it and installed your custom DMG, and it works.

Created attachment 176689 [details]
attachment-3278038-0.html

If the binary from the kde CI works. That is the only supported MacOS build. Brew is not conducting signing/motorization correctly. From what you describe.

Created attachment 176690 [details]
attachment-3279432-0.html

In regards to the CI binary it looks like there has been change in Apple's signing requirements that we may be able to account for.

Dec 16, 2024 2:45:59 PM Michael Reeves <reeves.87@gmail.com>:

> If the binary from the kde CI works. That is the only supported MacOS build. Brew is not conducting signing/motorization correctly. From what you describe.

Created attachment 176692 [details]
attachment-3284678-0.html

I think the differences you see is because the official build has kdiff3 and all dependencies in one package file which makes it easier to sign in a way that MacOs X will accept.

Brew does not ship its own builds. The app is downloaded from https://download.kde.org/stable/kdiff3/kdiff3-1.12.0-macos-arm64.dmg (check this out https://formulae.brew.sh/api/cask/kdiff3.json)
Also, here are my console logs:

> brew install --cask kdiff3
> ==> Downloading https://formulae.brew.sh/api/cask.jws.json
> ################################################################################################################################## 100.0%
> ==> Downloading https://raw.githubusercontent.com/Homebrew/homebrew-cask/0bca803fed3202f8f31068d6c73a872a36b3c843/Casks/k/kdiff3.rb
> Already downloaded: /Users/swap/Library/Caches/Homebrew/downloads/84f773324c06f883fac43f3d820dbada74a05b5fd6b5990b8c97e6b03efdc02f--kdiff3.rb
> ==> Downloading https://download.kde.org/stable/kdiff3/kdiff3-1.12.0-macos-arm64.dmg
> Already downloaded: /Users/swap/Library/Caches/Homebrew/downloads/58e429ede9ab268d47bbdabe5e33bd0a8ed44ebeed7f4989be26ca60b0f6a043--kdiff3-1.12.0-macos-arm64.dmg
> ==> Installing Cask kdiff3
> ==> Moving App 'kdiff3.app' to '/Applications/kdiff3.app'
> ==> Linking Binary 'kdiff3.wrapper.sh' to '/opt/homebrew/bin/kdiff3'
> 🍺  kdiff3 was successfully installed!

Michael, where was the 1.12 DMG sourced from before it was uploaded to download.kde.org?

Should be from https://invent.kde.org/sdk/kdiff3/-/pipelines/835945.

I can see failure to notarize the app in the CI job logs, e.g., in https://invent.kde.org/sdk/kdiff3/-/jobs/2359639#L2222:
> 2024-12-06 22:30:37,876 INFO notarizemacapp Branch '1.12' of project 'sdk/kdiff3' is not cleared for notarization. Skipping.

This points to https://invent.kde.org/sysadmin/ci-notary-service/-/blob/master/notarizemacapp.py?ref_type=heads#L86-88:
>     if not projects.settings.exists(projectPath, branch):
>        log.info(f"Branch '{branch}' of project '{projectPath}' is not cleared for notarization. Skipping.")
>        return 0

The settings seem to be loaded from `macappnotarizer-projects.yaml` on the Runner "macstadium1-macOS". My immediate hunch is that the new 1.12 branch was not whitelisted for notarization in that settings file?

Then again, the corresponding CI jobs on older tag pipelines also exhibit this behavior (e.g., https://invent.kde.org/sdk/kdiff3/-/jobs/2146878#L2209) or have a manual trigger, which leads me to suspect that automatic notarization is not enabled, and run downstream from the CI pipelines...?

@Michael: That pipeline must have been run before the change was fully integrated to enable signing for 1.12, as a recent run is fine.

For Notarization, that configuration lives at https://invent.kde.org/sysadmin/ci-utilities/-/blob/master/signing/macappnotarizer-projects.yaml?ref_type=heads

Infrastructure wise everything is working correctly here, Michael needs to send the appropriate merge requests then re-release the 1.12 binaries to correct this.

I does notarization require anything more from  then to have the branch authorized in CI? Last time I had it on it seemed to be broken. That said its been a while.

Config in kdiff3 repo has been fixed.

From my understanding it just needs to be authorised yes.

If your application has issues preventing notarization then those may need to be resolved to allow a successful build to complete, but notarization is essentially required now in order to distribute on macOS so it is something that will need to be worked through. Help is available with issues in #kde-craft:kde.org on Matrix

https://invent.kde.org/sysadmin/ci-utilities/-/merge_requests/424 created.

New Binary is here link is good for two days so you can verify it before its uploaded.

https://invent.kde.org/sdk/kdiff3/-/jobs/2395108/artifacts/raw/kde-ci-packages/kdiff3-1.12-1854-macos-clang-arm64.dmg

It works. I hope it will become 1.12.1 so the brew can pick up the update