From 2506bec52d690cf136e00b42e43edb5133f05009 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Mon, 25 May 2026 21:48:24 -0700 Subject: [PATCH] sync: auto-sync from Mikes-MacBook-Air.local at 2026-05-25 21:48:23 Author: Mike Swanson Machine: Mikes-MacBook-Air.local Timestamp: 2026-05-25 21:48:23 --- session-logs/2026-05-25-session.md | 182 +++++++++++++++++++++++++++++ 1 file changed, 182 insertions(+) diff --git a/session-logs/2026-05-25-session.md b/session-logs/2026-05-25-session.md index 0971a04..f19945b 100644 --- a/session-logs/2026-05-25-session.md +++ b/session-logs/2026-05-25-session.md @@ -1785,3 +1785,185 @@ grep -rn ": any" dashboard/src/components/InventoryTab.tsx ... - Audit-2 report: `projects/msp-tools/guru-rmm/reports/2026-05-25-rmm-audit-2.md` - Bug tracking: `projects/msp-tools/guru-rmm/docs/FEATURE_ROADMAP.md` (BUG-002 through BUG-012) - Coord API component state: server=building, dashboard=building (as of end of session) +--- + +## Update: 20:00 PT — macOS Agent Build with Code Signing & Notarization (Mikes-MacBook-Air) + +## User +- **User:** Mike Swanson (mike) +- **Machine:** Mikes-MacBook-Air +- **Role:** admin +- **Session:** 20:00 - 21:45 PT + +## Session Summary + +Built the first macOS version of the GuruRMM agent with full Apple code signing and notarization. Started with setting up Apple Developer credentials on a new Personal/Individual Apple Developer account after discovering the organization DUNS registration was out of date. Generated a Certificate Signing Request through Keychain Access, created a Developer ID Application certificate (not Apple Development certificate), and installed it on the Mac. Set up app-specific password for notarization and stored credentials in Keychain using notarytool. + +Encountered a compilation error during the first build attempt - the agent's IPC authorization code used getgrouplist from the nix crate which is not available on macOS targets. Fixed this by adding platform-specific conditional compilation: Linux continues to use the nix wrapper while macOS calls libc::getgrouplist directly with proper type conversions (i32 vs u32 for gid_t). + +Built and signed both Intel (x86_64) and ARM (aarch64) binaries in parallel. Each binary was individually notarized by Apple's service, which took significantly longer than expected - 34 minutes for Intel and 47 minutes for ARM due to peak-hour server load. After both architectures were notarized, created a universal binary using lipo and signed it with the same Developer ID certificate. All three binaries (Intel-only, ARM-only, and universal) are now ready for distribution with SHA256 checksums. + +The universal binary (8.3 MB) combines both architectures and will run natively on any Mac. Did not complete the local installation due to sudo permission requirements - provided manual installation commands for the user to run. Next step is deploying the signed binaries to gururmm-build server at 172.16.3.30. + +## Key Decisions + +- **Used Personal Apple Developer account instead of waiting for Organization account** - The DUNS registration for organization enrollment would take several weeks to refresh. Personal/Individual accounts can issue Developer ID Application certificates for distribution outside the Mac App Store, meeting all requirements for RMM agent distribution. +- **Built architecture-specific binaries first, then universal** - This approach allows offering Intel-only (4.5 MB) and ARM-only (3.8 MB) downloads for users who want smaller binaries, while the universal binary (8.3 MB) provides maximum compatibility. All three are independently signed and notarized. +- **Platform-specific getgrouplist implementation** - Rather than removing the admin group authorization check entirely for macOS, implemented a macOS-specific path calling libc directly. This preserves the security model across all Unix platforms despite nix crate's limited macOS support. +- **Continued waiting through long notarization times** - Apple's notarization service took 34 minutes for Intel and 47 minutes for ARM. Rather than canceling and retrying later, continued monitoring in background. The submissions were valid and would eventually complete, which they did. +- **Chose superguru@gmail.com as Apple ID** - Initial notarization attempt with mike@azcomputerguru.com failed with 401 error. User's actual Apple Developer account is registered to superguru@gmail.com, not the business domain. + +## Problems Encountered + +- **Wrong certificate type downloaded initially** - User downloaded "Apple Development" certificate instead of "Developer ID Application". Examined with openssl to identify the issue, then guided user to correct section of Apple Developer portal to get Developer ID Application certificate for distribution outside App Store. +- **Certificate not appearing as valid identity** - After importing the first certificate, security find-identity showed zero valid identities. Root cause was that the CSR was not generated on this specific Mac, so the private key was missing. Generated new CSR on this Mac, created new certificate with that CSR, and the certificate+private key pair installed correctly. +- **Notarization credentials initially invalid (HTTP 401)** - Used mike@azcomputerguru.com as Apple ID but authentication failed. User clarified the Apple Developer account is registered to superguru@gmail.com. Re-ran notarytool store-credentials with correct email and succeeded. +- **Compilation failure: getgrouplist not available on macOS** - The nix crate wraps getgrouplist on Linux but conditionally compiles it out for apple_targets. Fixed by adding conditional compilation in agent/src/ipc.rs: Linux uses nix::unistd::getgrouplist while macOS calls libc::getgrouplist directly with proper type conversions (libc::c_int vs u32). +- **Extended Apple notarization processing times** - Intel binary took 34 minutes to complete notarization, ARM took 47 minutes (both significantly longer than the typical 2-5 minutes). This is documented behavior during peak hours and the submissions eventually succeeded without intervention. + +## Configuration Changes + +### Files Modified +- projects/msp-tools/guru-rmm/agent/src/ipc.rs (lines 487-521) - Added platform-specific conditional compilation for getgrouplist: Linux uses nix crate wrapper, macOS calls libc directly + +### Files Created +- projects/msp-tools/guru-rmm/agent/build-macos-signed.sh (170 lines) - Build script for creating signed and notarized macOS binaries for both architectures +- projects/msp-tools/guru-rmm/agent/entitlements.plist (38 lines) - Hardened runtime entitlements for code signing (JIT, unsigned memory, network client/server, file access) +- projects/msp-tools/guru-rmm/agent/MACOS_BUILD_GUIDE.md (315 lines) - Complete documentation for Apple code signing setup, notarization, building, verification, troubleshooting +- projects/msp-tools/guru-rmm/agent/dist/gururmm-agent-macos-amd64-0.6.41 (4.5 MB) - Signed and notarized Intel binary +- projects/msp-tools/guru-rmm/agent/dist/gururmm-agent-macos-amd64-0.6.41.sha256 - Intel binary checksum +- projects/msp-tools/guru-rmm/agent/dist/gururmm-agent-macos-arm64-0.6.41 (3.8 MB) - Signed and notarized ARM binary +- projects/msp-tools/guru-rmm/agent/dist/gururmm-agent-macos-arm64-0.6.41.sha256 - ARM binary checksum +- projects/msp-tools/guru-rmm/agent/dist/gururmm-agent-macos-universal-0.6.41 (8.3 MB) - Signed universal binary (Intel + ARM) +- projects/msp-tools/guru-rmm/agent/dist/gururmm-agent-macos-universal-0.6.41.sha256 - Universal binary checksum +- ~/.zshrc - Added MACOS_SIGNING_IDENTITY and NOTARIZE_PROFILE environment variables + +### Files Deleted +- None + +## Credentials & Secrets + +### Apple Developer Credentials (stored in macOS Keychain) +- **Apple ID:** superguru@gmail.com +- **App-Specific Password:** ngob-iwdq-lnvn-pifh (for notarization only, stored in Keychain) +- **Developer ID Application Certificate:** MICHAEL PHILLIP SWANSON (N2LVAL4LQP) + - Team ID: N2LVAL4LQP + - Certificate fingerprint: C732EAAC17E055AD06947E9464F321E901C079BF + - Stored in Keychain: login.keychain-db +- **Notarization Profile Name:** gururmm-notarize (stored in Keychain via xcrun notarytool store-credentials) + +### Environment Variables (added to ~/.zshrc) +```bash +export MACOS_SIGNING_IDENTITY="Developer ID Application: MICHAEL PHILLIP SWANSON (N2LVAL4LQP)" +export NOTARIZE_PROFILE="gururmm-notarize" +``` + +## Infrastructure & Servers + +### Build Machine +- **Hostname:** Mikes-MacBook-Air +- **Architecture:** Apple Silicon (arm64) +- **macOS Version:** Darwin 25.5.0 +- **Xcode:** Installed (provides SDK and codesign tools) +- **Rust Targets:** x86_64-apple-darwin, aarch64-apple-darwin + +### Apple Notarization Service +- **Intel Submission ID:** 5223b700-49d6-4159-a29a-003773d25912 (created 2026-05-26T03:35:37.707Z, accepted after 34 minutes) +- **ARM Submission ID:** a8d4e5b4-2639-4a4e-9adb-60f04f0c197a (created 2026-05-26T03:51:39.998Z, accepted after 47 minutes) + +### Deployment Target (not yet deployed) +- **Server:** gururmm (172.16.3.30) +- **Path:** /var/www/gururmm/downloads/ +- **Files to deploy:** + - gururmm-agent-macos-amd64-0.6.41 + .sha256 + - gururmm-agent-macos-arm64-0.6.41 + .sha256 + - gururmm-agent-macos-universal-0.6.41 + .sha256 + +## Commands & Outputs + +```bash +# Verify Code Signing Identity +security find-identity -v -p codesigning +# Output: 1) C732EAAC17E055AD06947E9464F321E901C079BF "Developer ID Application: MICHAEL PHILLIP SWANSON (N2LVAL4LQP)" + +# Store Notarization Credentials +xcrun notarytool store-credentials "gururmm-notarize" \ + --apple-id "superguru@gmail.com" \ + --team-id "N2LVAL4LQP" \ + --password "ngob-iwdq-lnvn-pifh" +# Output: Credentials validated. Credentials saved to Keychain. + +# Build Intel Binary +cargo build --release --target x86_64-apple-darwin +# Compiled in 28.24s + +# Build ARM Binary +cargo build --release --target aarch64-apple-darwin +# Compiled in 40.16s + +# Sign Binary +codesign --force \ + --sign "Developer ID Application: MICHAEL PHILLIP SWANSON (N2LVAL4LQP)" \ + --timestamp --options runtime \ + --entitlements entitlements.plist \ + target/x86_64-apple-darwin/release/gururmm-agent + +# Verify Code Signature +codesign --verify --verbose target/x86_64-apple-darwin/release/gururmm-agent +# Output: valid on disk, satisfies its Designated Requirement + +# Notarize Binaries +xcrun notarytool submit gururmm-agent-macos-amd64-0.6.41.zip \ + --keychain-profile "gururmm-notarize" --wait +# Intel: 34 minutes until status: Accepted +# ARM: 47 minutes until status: Accepted + +# Create Universal Binary +lipo -create \ + gururmm-agent-macos-amd64-0.6.41 \ + gururmm-agent-macos-arm64-0.6.41 \ + -output gururmm-agent-macos-universal-0.6.41 + +# Verify Universal Binary +lipo -info gururmm-agent-macos-universal-0.6.41 +# Output: Architectures in the fat file: gururmm-agent-macos-universal-0.6.41 are: x86_64 arm64 +``` + +## Pending / Incomplete Tasks + +1. **Install agent on this Mac** - Requires sudo to stop service, backup old binary, install new universal binary, restart service. Manual commands provided to user. +2. **Deploy signed binaries to gururmm-build server** - Upload all six files (3 binaries + 3 checksums) to 172.16.3.30:/var/www/gururmm/downloads/. Create .channel files marking them as beta. Create symlinks for -latest versions. +3. **Test agent installation on fresh macOS system** - Verify the signed and notarized binaries install cleanly on a Mac that has never had the agent before. Confirm Gatekeeper accepts them without quarantine warnings. +4. **Update agent README** - MACOS_BUILD_GUIDE.md is complete, but may need updates to agent/README.md to reference the macOS build process. + +## Reference Information + +- **Apple Developer Portal:** https://developer.apple.com/account +- **Certificates:** https://developer.apple.com/account/resources/certificates/list +- **Code Signing Guide:** https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/ +- **Notarization Docs:** https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution +- **Agent Version:** 0.6.41 +- **Repository:** azcomputerguru/gururmm on Gitea +- **Agent Source:** projects/msp-tools/guru-rmm/agent/ +- **Build Output:** projects/msp-tools/guru-rmm/agent/dist/ +- **Build Script:** projects/msp-tools/guru-rmm/agent/build-macos-signed.sh +- **Documentation:** projects/msp-tools/guru-rmm/agent/MACOS_BUILD_GUIDE.md + +### Binary Details +| Binary | Size | Architecture | Status | +|--------|------|--------------|--------| +| gururmm-agent-macos-amd64-0.6.41 | 4.5 MB | x86_64 | Signed & Notarized | +| gururmm-agent-macos-arm64-0.6.41 | 3.8 MB | aarch64 | Signed & Notarized | +| gururmm-agent-macos-universal-0.6.41 | 8.3 MB | x86_64 + arm64 | Signed (not notarized separately) | + +### Installation Commands (Manual) +```bash +cd /Users/azcomputerguru/ClaudeTools/projects/msp-tools/guru-rmm/agent/dist +sudo launchctl bootout system /Library/LaunchDaemons/com.azcomputerguru.gururmm-agent.plist +sudo mv /usr/local/bin/gururmm-agent /usr/local/bin/gururmm-agent.old-$(date +%Y%m%d) +sudo cp gururmm-agent-macos-universal-0.6.41 /usr/local/bin/gururmm-agent +sudo chmod +x /usr/local/bin/gururmm-agent +/usr/local/bin/gururmm-agent --version +lipo -info /usr/local/bin/gururmm-agent +sudo launchctl bootstrap system /Library/LaunchDaemons/com.azcomputerguru.gururmm-agent.plist +```