Bug Hunting Session
Bug 104915 - LibO 5.3.0.1 main package (LibreOffice.app) for macOS is not signed (regression)
Summary: LibO 5.3.0.1 main package (LibreOffice.app) for macOS is not signed (regression)
Status: RESOLVED WORKSFORME
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.3.0.0.beta2
Hardware: All Mac OS X (All)
: highest critical
Assignee: Norbert Thiebaud
URL:
Whiteboard:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2016-12-24 22:14 UTC by Frank Fuchs
Modified: 2017-07-12 20:23 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Fuchs 2016-12-24 22:14:30 UTC
Description:
The LibO 5.3.0.1 main package (LibreOffice.app) for macOS is not signed.
The effect is that Gatekeeper on macOS does not allow starting the app (unless you bypass it).
This is a regression. 

Please note that you have to bypass Gatekeeper only once (for those of you who want to reproduce the bug).

Further note: as of right now, I cannot select 5.3.0.1 as the affected LibO version in bugzilla (entry is still missing).

Steps to Reproduce:
1.install LibO on macOS
2.start the app
3.you have to bypass Gatekeeper in order for the app to be allowed to start

Actual Results:  
LibO only starts if you bypass Gatekeeper.
This is bad behaviour, all macOS apps should be digitally signed by a verifyable developer.

Expected Results:
LibreOffice.app should by digitally signed. It should be startable even if Gatekeeper is set to its strictest settings.


Reproducible: Always

User Profile Reset: No

Additional Info:


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0
Comment 1 Alex Thurgood 2017-01-02 09:58:16 UTC
Confirming with LO53b2
Comment 2 Alex Thurgood 2017-01-02 09:59:47 UTC
Not sure what the policy is here - my uderstanding was that DEV releases (which is what 53beta2 still is, were not signed.
Comment 3 Alex Thurgood 2017-01-02 10:25:57 UTC
Altered priority and importance pending Christian's reply
Comment 4 Michael Meeks 2017-01-11 13:56:38 UTC
Norbert - prolly right up your street =)
Comment 5 Christian Lohmaier 2017-01-11 14:12:03 UTC
All officially provided builds should be signed, no matter whether it is LibreOfficeDev variant or in release candidate configuration (as the reporter reports against 5.3.0.1, which is no longer LibreOfficeDev, but LibreOffice proper).

$ codesign -v Desktop/LibreOffice.app 
Desktop/LibreOffice.app: code object is not signed at all
In architecture: x86_64

thus confirming and reassigning to Norbert, who actually does the build. Likely just using wrong autogen.input, no problem with the process as a whole.
Comment 6 Frank Fuchs 2017-01-17 18:26:29 UTC
fixed in LO 5.3.0.2