Codesigning on MacOS

[bevanjkay]

Luanti version

-

Operating system and version

MacOS 15.1

CPU model

No response

GPU model

No response

Active renderer

No response

Summary

Hi 👋🏻 - Homebrew maintainer here.
We were sitting next to your team at FOSDEM over the weekend and discussed getting the minetest package renamed to luanti and updated to the latest version to ship through Homebrew. The best option here it to distribute the built Macintosh app as a Homebrew "cask" in the homebrew-cask repo. The package is currently failing one of our audits, because the system command to check codesigning is failing. The application itself seems to be signed and notarised correctly, but the error is likely to do with something being incorrect in the info.plist file. I did notice the string for "DTPlatformBuild" is empty, so this could be a place to start.

Related: Homebrew/homebrew-cask#200275 (comment)

Steps to reproduce

Run the following command on the app bundle.

spctl --assess --verbose Luanti.app

[sfence]

The problem can be that we updated the build to be able to sign the app in Xcode.
But in our successfully signed app, DTPlatformBuild is empty.

I used the command: spctl -a -vvv -t install Luanti.app to verify and say accepted. We received no report about invalid app signature, so I expect, that it works for users.

But the command spctl --assess --verbose Luanti.app says to me, rejected (the code is valid but does not seem to be an app)

[sfence]

DTPlatformBuild was never set in preconfigured plist, and is not set in previous unsigned MacOS releases.

You are creating Xcode project and compiling Luanti from command line by Xcode in homebrew?

[appgurueu]

Googling the "rejected (the code is valid but does not seem to be an app)", I get this SO post according to which setting CFBundlePackageType to APPL in Info.plist.in might be worth a try.

[bevanjkay]

You are creating Xcode project and compiling Luanti from command line by Xcode in homebrew?

We are adding luanti to homebrew-cask for MacOS, which just distributes the application as provided upstream. We simply download it from the upstream and install it systematically. Our CI just has some testing to ensure that application works as expected for users.

[sfence]

We are adding luanti to homebrew-cask for MacOS, which just distributes the application as provided upstream. We simply download it from the upstream and install it systematically. Our CI just has some testing to ensure that application works as expected for users.

Understand.
I try to fix this issue in the upcoming 5.11 release.

[sfence]

@bevanjkay Btw, how did homebrew distribute the previous version of the unsigned Minetest app?

[bevanjkay]

It was being built in homebrew-core on our CI and distributed. But generally speaking, we don't build GUI apps in homebrew-core, it is for cli tools only.

In the current situation, because Luanti is provided as a built application upstream, we would only distribute it as provided upstream, for MacOS in homebrew-cask.