Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apple Notarization of migration assets #8240

Closed
lidel opened this issue Jul 2, 2021 · 7 comments · Fixed by ipfs/distributions#381 or #8333
Closed

Apple Notarization of migration assets #8240

lidel opened this issue Jul 2, 2021 · 7 comments · Fixed by ipfs/distributions#381 or #8333
Assignees
@lidel
Labels
kind/bug A bug in existing code (including security flaws) need/analysis Needs further analysis before proceeding need/community-input Needs input from the wider community P0 Critical: Tackled by core team ASAP topic/macos MacOS specific
Milestone
go-ipfs 0.10

Comments

@lidel
Copy link
Member

lidel commented Jul 2, 2021
edited
Loading

Friends from Brave noted that upgrading go-ipfs 0.7.0 to 0.9.0 seems to cause security error on macOS now:

Initializing daemon...
go-ipfs version: 0.9.0
Repo version: 11
System version: amd64/darwin
Golang version: go1.16.5
Found outdated fs-repo, migrations need to be run.
Looking for suitable migration binaries.
Need 1 migrations, downloading.
Downloading migration: fs-repo-10-to-11...
Fetching with HTTP: "https://ipfs.io/ipfs/QmVxxcTSuryJYdQJGcS8SyhzN7NBNLTqVPAxpu6gp2ZcrR/fs-repo-10-to-11/versions"
Fetching with HTTP: "https://ipfs.io/ipfs/QmVxxcTSuryJYdQJGcS8SyhzN7NBNLTqVPAxpu6gp2ZcrR/fs-repo-10-to-11/v1.0.0/fs-repo-10-to-11_v1.0.0_darwin-amd64.tar.gz"
Downloaded and unpacked migration: /var/folders/44/9r6j8dks44xdv4947lc_fkmh0000gn/T/migrations669767337/fs-repo-10-to-11 (v1.0.0)
Running migration fs-repo-10-to-11 ...
  => Running: /var/folders/44/9r6j8dks44xdv4947lc_fkmh0000gn/T/migrations669767337/fs-repo-10-to-11 -path=/Users/sdonner/Library/Application Support/BraveSoftware/Brave-Browser-Nightly/brave_ipfs -verbose=true
The migrations of fs-repo failed:
  migration fs-repo-10-to-11 failed: signal: killed
If you think this is a bug, please file an issue and include this whole log output.
  https://github.com/ipfs/fs-repo-migrations
Error: migration fs-repo-10-to-11 failed: signal: killed

2021-07-02--23-43-22

Perhaps Apple hardened their policies since we shipped 0.7.0 → 0.8.0 to our Desktop users?
First step is to confirm this is real issue.

Step 1: confirm this reproducible

Need help from macOS user (~15min):

  1. Get the official 0.7.0 for macOS from https://dist.ipfs.io/go-ipfs/v0.7.0/go-ipfs_v0.7.0_darwin-amd64.tar.gz
  2. Use it to create an empty repo: execute export IPFS_PATH=/tmp/test-7-to-9 to point at a custom directory, then run ipfs init and ipfs daemon and confirm that it works ok.
  3. Stop 0.7.0 daemon
  4. Get official 0.9.0 for macOS from https://dist.ipfs.io/go-ipfs/v0.9.0/go-ipfs_v0.9.0_darwin-amd64.tar.gz
  5. Start ipfs daemon
  6. Comment below if migration was successful, or if the above error was displayed instead.

Step 2: fix the issue

  • (ad-hoc fix for 7–9 migration) manually notarize related migration binary
  • (real fix) add notarization workflow to dist.ipfs.io
    • mvp would be workflow_dispatch job that does notarization of a binary in specified *_darwin-*.tar.gz archive
    • harder: include notarization stapling as part of the build (tbd if worth it, one can assume that most of IPFS users on macOS is online at the time of migration)
@lidel lidel added kind/bug A bug in existing code (including security flaws) need/community-input Needs input from the wider community need/analysis Needs further analysis before proceeding P0 Critical: Tackled by core team ASAP topic/macos MacOS specific labels Jul 2, 2021
@lidel lidel self-assigned this Jul 2, 2021
@lidel lidel mentioned this issue Jul 6, 2021
Closed
@mburns
Copy link
Contributor

mburns commented Jul 6, 2021

0.7.0 -> 0.9.0 migration Worked For Me. No security pop-up about unknown developer...

Initializing daemon...
go-ipfs version: 0.9.0
Repo version: 11
System version: amd64/darwin
Golang version: go1.16.5
Found outdated fs-repo, migrations need to be run.
Run migrations now? [y/N] y
Looking for suitable migration binaries.
Need 1 migrations, downloading.
Downloading migration: fs-repo-10-to-11...
Fetching with HTTP: "https://ipfs.io/ipfs/QmVxxcTSuryJYdQJGcS8SyhzN7NBNLTqVPAxpu6gp2ZcrR/fs-repo-10-to-11/versions"
Fetching with HTTP: "https://ipfs.io/ipfs/QmVxxcTSuryJYdQJGcS8SyhzN7NBNLTqVPAxpu6gp2ZcrR/fs-repo-10-to-11/v1.0.0/fs-repo-10-to-11_v1.0.0_darwin-amd64.tar.gz"
Downloaded and unpacked migration: /var/folders/ql/lq9gwpgx3nggmjy13syp055m0000gn/T/migrations511631181/fs-repo-10-to-11 (v1.0.0)
Running migration fs-repo-10-to-11 ...
  => Running: /var/folders/ql/lq9gwpgx3nggmjy13syp055m0000gn/T/migrations511631181/fs-repo-10-to-11 -path=/tmp/test-7-to-9 -verbose=true
applying 10-to-11 repo migration
opening datastore at "/tmp/test-7-to-9"
upgrading pinning to use datastore
converted 2 pins from ipld storage into datastore
updated version file
Migration 10 to 11 succeeded
Success: fs-repo migrated to version 11.
Swarm listening on /ip4/127.0.0.1/tcp/4001
Swarm listening on /ip4/127.0.0.1/udp/4001/quic
Swarm listening on /ip4/192.168.1.245/tcp/4001
Swarm listening on /ip4/192.168.1.245/udp/4001/quic
Swarm listening on /ip6/::1/tcp/4001
Swarm listening on /ip6/::1/udp/4001/quic
Swarm listening on /p2p-circuit
Swarm announcing /ip4/127.0.0.1/tcp/4001
Swarm announcing /ip4/127.0.0.1/udp/4001/quic
Swarm announcing /ip4/192.168.1.245/tcp/4001
Swarm announcing /ip4/192.168.1.245/udp/4001/quic
Swarm announcing /ip4/50.39.131.247/udp/4001/quic
Swarm announcing /ip6/::1/tcp/4001
Swarm announcing /ip6/::1/udp/4001/quic
API server listening on /ip4/127.0.0.1/tcp/5001
WebUI: http://127.0.0.1:5001/webui
Added migration file "fs-repo-10-to-11_v1.0.0_darwin-amd64.tar.gz": /ipfs/QmaCqq6KLw7p9DBYtVgegMmkDEuRXkS395LVweYqdY7vcq
Could not add migration to IPFS: nothing downloaded by ipfs fetcher
Gateway (readonly) server listening on /ip4/127.0.0.1/tcp/8080
Daemon is ready

@lidel
Copy link
Member Author

lidel commented Jul 7, 2021
edited
Loading

I believe @mburns was able to replicate since his last comment was posted.

@stephendonner @mburns what version of macOS are you running when experiencing this?

@stephendonner
Copy link

@lidel sorry for the delay; Monterey (public beta), version 12.0 Beta (21A5268h)

@lidel
Copy link
Member Author

lidel commented Jul 12, 2021

Quick update – successful replication, but this is limited to GUI apps, it seems.

I was able to replicate this error while simulating 0.7.0 → 0.9.0
with the latest Brave Nightly and macOS Big Sur 11.2:

Screenshot 2021-07-12 at 23 15 02

It is a bit ridiculous that macOS does not complain when I run migration using the same go-ipfs binary via Terminal app instead of being spawned via Brave:

Screenshot 2021-07-12 at 23 36 39

@lidel lidel mentioned this issue Jul 12, 2021
Closed
@gammazero gammazero mentioned this issue Jul 14, 2021
Closed
@lidel lidel added this to the go-ipfs 0.10 milestone Jul 15, 2021
@lidel lidel mentioned this issue Jul 15, 2021
Closed
11 tasks
@lidel lidel changed the title Apple Notarization of migration assets (0.7.0 → 0.9.0) Apple Notarization of migration assets Jul 15, 2021
@lidel lidel mentioned this issue Jul 21, 2021
Merged
6 tasks
@lidel
Copy link
Member Author

lidel commented Jul 29, 2021
edited
Loading

ipfs/distributions#367 (macos signing and notarization of darwin binaries at dist.ipfs.io via github actions) is ready for final review

@lidel lidel mentioned this issue Aug 4, 2021
Merged
@lidel
Copy link
Member Author

lidel commented Aug 6, 2021
edited
Loading

Signed migrations for Intel and Apple Silicon are ready: ipfs/distributions#381ipfs/distributions#381
Remaining work here:

lidel added a commit that referenced this issue Aug 9, 2021
@lidel
fix: macos notarized fs-repo-migrations
7479857 
Uses: ipfs/distributions#381
Closes #8240
@lidel lidel mentioned this issue Aug 9, 2021
Merged
lidel added a commit that referenced this issue Aug 9, 2021
@lidel
fix: macos notarized fs-repo-migrations
97692a5 
Uses: ipfs/distributions#381
Closes #8240
@lidel
Copy link
Member Author

lidel commented Aug 12, 2021

Reopening as this needs #8333 to be merged.

@lidel lidel reopened this Aug 12, 2021
lidel added a commit that referenced this issue Aug 12, 2021
@lidel
fix: macos notarized fs-repo-migrations (#8333)
6e61006 
Uses: ipfs/distributions#381
Closes #8240
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lidel lidel

Labels
kind/bug A bug in existing code (including security flaws) need/analysis Needs further analysis before proceeding need/community-input Needs input from the wider community P0 Critical: Tackled by core team ASAP topic/macos MacOS specific
Projects
No open projects
IPFS Shipyard Team
Archived in project
Milestone
go-ipfs 0.10
3 participants
@mburns @lidel @stephendonner