Issue metadata
Sign in to add a comment
|
Canary on Mac is not launched |
||||||||||||||||||||
Issue descriptionChrome Version: (copy from chrome://version) OS: Mac 10.13.3 What steps will reproduce the problem? (1) Update to latest Canary from 69.0.3351.0 (2) Try to launch Canary. What is the expected result? Canary Chrome should be launched. What happens instead? Chrome is not launched. When attempted to launch from Command like, it gives 'Killed:9' error. Note: Same behavior is observed even by downloading and installing market build.
,
Jun 8 2018
Correcting the typo in Comment #1: Good Build: 69.0.3452.0 (Verified in equivalent unsigned build) Bad Build: 69.0.3453.0 This issue should not be blocking today Mac Dev RC #69.0.3451.0
,
Jun 8 2018
Repros locally on 10.14 beta 18A293u:
Process: Google Chrome Canary [73069]
Path: /Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary
Identifier: com.google.Chrome.canary
Version: ???
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Google Chrome Canary [73069]
User ID: 501
Date/Time: 2018-06-08 09:48:54.653 -0400
OS Version: Mac OS X 10.14 (18A293u)
Report Version: 12
Anonymous UUID: 0D1D2AA3-C889-FED4-E60A-C1216B8BDFAE
Sleep/Wake UUID: CC927DBB-B3DE-44D2-9127-FB27769EF3E0
Time Awake Since Boot: 63000 seconds
Time Since Wake: 690 seconds
System Integrity Protection: enabled
Crashed Thread: 0
Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1
kernel messages:
VM Regions Near 0 (cr2):
-->
__TEXT 0000000109ae1000-0000000109ae2000 [ 4K] r-x/rwx SM=COW
Thread 0 Crashed:
0 ??? 0x000000010e67b320 _dyld_start + 0
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffee611ebb8
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x000000010e67b320 rfl: 0x0000000000000200 cr2: 0x0000000000000000
Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0
Binary Images:
0x109ae1000 - 0x109ae1ffb +??? (0) <F0CE1367-0F54-31B6-9F94-655E12F0D6E5> (null)
0x10e664000 - 0x10e6e239f +??? (620.3) <3E97BEC3-BC90-32AC-A762-3419CBE70241> (null)
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 50469
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=688K resident=0K(0%) swapped_out_or_unallocated=688K(100%)
Writable regions: Total=8400K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8400K(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
STACK GUARD 56.0M 2
Stack 8192K 2
__DATA 232K 4
__LINKEDIT 176K 3
__TEXT 512K 3
shared memory 8K 3
=========== ======= =======
TOTAL 64.9M 11
Model: MacPro6,1, BootROM MP61.0124.B00, 12 processors, 12-Core Intel Xeon E5, 2.7 GHz, 64 GB, SMC 2.20f18
Graphics: AMD FirePro D500, AMD FirePro D500, PCIe
Graphics: AMD FirePro D500, AMD FirePro D500, PCIe
Memory Module: DIMM1, 16 GB, DDR3 ECC, 1866 MHz, 0x80AD, 0x484D54343247523741465234432D52442020
Memory Module: DIMM2, 16 GB, DDR3 ECC, 1866 MHz, 0x80AD, 0x484D54343247523741465234432D52442020
Memory Module: DIMM3, 16 GB, DDR3 ECC, 1866 MHz, 0x80AD, 0x484D54343247523741465234432D52442020
Memory Module: DIMM4, 16 GB, DDR3 ECC, 1866 MHz, 0x80AD, 0x484D54343247523741465234432D52442020
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x135), Broadcom BCM43xx 1.0 (7.77.51.2.1a5)
Bluetooth: Version 6.0.8d20, 3 services, 18 devices, 1 incoming serial ports
Network Service: Ethernet 1, Ethernet, en0
PCI Card: AMD FirePro D500, Display Controller, Slot-1
PCI Card: AMD FirePro D500, Display Controller, Slot-2
Serial ATA Device: APPLE SSD SM1024F, 1 TB
USB Device: USB 2.0 Bus
USB Device: Hub
USB Device: BRCM20702 Hub
USB Device: Bluetooth USB Host Controller
USB Device: USB 3.0 Bus
USB Device: USB Optical Mouse
USB Device: Yubico Gnubby (gnubby1)
USB Device: USB Keyboard
Thunderbolt Bus: Mac Pro, Apple Inc., 19.2
Thunderbolt Bus: Mac Pro, Apple Inc., 19.2
Thunderbolt Bus: Mac Pro, Apple Inc., 19.2
,
Jun 8 2018
I'm also observing this issue.
,
Jun 8 2018
,
Jun 8 2018
Issue 850939 has been merged into this issue.
,
Jun 8 2018
Issue 850937 has been merged into this issue.
,
Jun 8 2018
Issue 850938 has been merged into this issue.
,
Jun 8 2018
Strongly suspecting the fix from issue 848052 here since it changed how codesigning works for Mac official builds within the past 24 hours.
,
Jun 8 2018
$ codesign -dv --verbose=4 /Applications/Google\ Chrome\ Canary.app Executable=/Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary Identifier=com.google.Chrome.canary Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=344 flags=0x800(restrict) hashes=3+5 location=embedded VersionPlatform=1 VersionMin=657664 VersionSDK=658432 Hash type=sha256 size=32 CandidateCDHash sha1=95ee4c3abc865fee80d47aefe6a7f65b4265a82c CandidateCDHash sha256=c47feea954082c6526407819d8d966fa0cc9d0b6 Hash choices=sha1,sha256 Page size=4096 CDHash=c47feea954082c6526407819d8d966fa0cc9d0b6 Signature size=8950 Authority=Developer ID Application: Google, Inc. (EQHXZ8M8AV) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Jun 8, 2018 at 6:01:59 AM Info.plist entries=36 TeamIdentifier=EQHXZ8M8AV Sealed Resources version=2 rules=7 files=183 Internal requirements count=1 size=240
,
Jun 8 2018
so thinking in advance: how are users going to update canary? manual download? cause it wont even start enough to check updates
,
Jun 8 2018
Another related bug 850461 related to Mac signing failure. martinkr@, pls provide fix and merge the fix to branch 3453 so we can trigger new Mac canary from same branch. Thank you.
,
Jun 8 2018
#11: updates are handled by a separate component (keystone) which doesn't require chrome to be running, specifically to avoid this kind of trap.
,
Jun 8 2018
Re comment 11: The autoupdater is a separate process, so it should update fine when a version with a fix is released.
,
Jun 8 2018
I suspect the root cause is that the provisioning profile added by internal commit 216f0fb72b8d4ffcd370c982af885de83029362f is not valid, and as of public b69d8c48da838196d9655402dd739e62227762a7 we went from having no provisioning profile to having an invalid one.
,
Jun 8 2018
error 11:07:39.246605 -0400 taskgated-helper 44444 Disallowing com.google.Chrome.canary because no eligible provisioning profiles found
error 11:07:39.247399 -0400 amfid 408 CPValidateProvisioningDictionariesExtViaBridge returned invalid result: {
success = 0;
}
default 11:07:39.247446 -0400 amfid 408 Failure validating against provisioning profiles: No eligible provisioning profiles found
default 11:07:39.247512 -0400 amfid 408 Requirements for restricted entitlements failed to validate, error -67671, requirements: '<private>', error: (null)
default 11:07:39.247542 -0400 amfid 408 Restricted entitlements not validated, bailing out. Error: (null)
default 11:07:39.247881 -0400 amfid 408 /Volumes/Google Chrome Canary/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary signature not valid: -67671
default 11:07:39.253756 -0400 taskgated 431 MacOS error: -67062
default 11:07:39.247928 -0400 kernel 0 AMFI: code signature validation failed.
default 11:07:39.247939 -0400 kernel 0 AMFI: bailing out because of restricted entitlements.
However spctl says it's accepted:
rsesek@hotwire:/Users/rsesek % spctl --assess /Volumes/Google\ Chrome\ Canary/Google\ Chrome\ Canary.app -vvv
/Volumes/Google Chrome Canary/Google Chrome Canary.app: accepted
source=Developer ID
origin=Developer ID Application: Google, Inc. (EQHXZ8M8AV)
,
Jun 8 2018
Requirements for restricted entitlements failed to validate, error -67671, requirements: '<private>', error: (null) This makes me think something in entitlements.plist doesn't match what's in the provisioning profile, but I can't see what that would be?
,
Jun 8 2018
I see them matching as well :-\ # check entitlements of binary codesign -d --entitlements :- /Applications/Google\ Chrome\ Canary.app # check contents of provisioning profile security cms -D -i /Applications/Google\ Chrome\ Canary.app/Contents/embedded.mobileprovision
,
Jun 8 2018
From lgrey: `sudo log config --mode "private_data:on` gets us: Requirements for restricted entitlements failed to validate, error -67671, requirements: 'anchor apple or anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */', error: (null)
,
Jun 8 2018
Issue 850928 has been merged into this issue.
,
Jun 8 2018
not sure if i'm right. codesign -d --entitlements :- /Applications/Google\ Chrome\ Canary.app shows Executable=/Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>EQHXZ8M8AV.com.google.Chrome.canary</string> <key>keychain-access-groups</key> <array> <string>EQHXZ8M8AV.com.google.Chrome.webauthn</string> </array> </dict> </plist> in keychain-access-groups should that be <string>EQHXZ8M8AV.com.google.Chrome.canary.webauthn</string> instead of <string>EQHXZ8M8AV.com.google.Chrome.webauthn</string> ?
,
Jun 8 2018
The embedded provisioning profile permits any keychain-access-group values rooted under EQHXZ8M8AV.*.
,
Jun 8 2018
Anecdotally, embedded.mobileprovision is used for Mac App Store apps. embedded.provisionprofile is used for Developer ID signed apps
,
Jun 8 2018
,
Jun 8 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/installer/mac/internal/+/ed03bae8320c665d1619c9b591c52b44ef030a18 commit ed03bae8320c665d1619c9b591c52b44ef030a18 Author: Martin Kreichgauer <martinkr@google.com> Date: Fri Jun 08 16:52:06 2018
,
Jun 8 2018
We changed the auto-update server configuration to stop serving build 3353 and continue serving 3351 to users. That said, users who have updated to 3353 already will continue to be broken until the new build ships.
,
Jun 8 2018
May I ask what the ETA is on that? > until the new build ships.
,
Jun 8 2018
Probably at least six hours
,
Jun 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e25c04d02eb0d12a48e506dc82df9c421f8203a7 commit e25c04d02eb0d12a48e506dc82df9c421f8203a7 Author: Martin Kreichgauer <martinkr@google.com> Date: Fri Jun 08 18:42:01 2018 Revert "chrome/installer/mac: set -x in sign_app and fix unquoted variable expansion" and "//chrome/installer/mac: add entitlements during code signing" This reverts commits a221822f30fb4ae70dcfac45b581bf95f312b8c0 and b69d8c48da838196d9655402dd739e62227762a7. Bug: 850890 , 848052 Change-Id: I1b34c71d6522a051abc44a00b43b2466edffe51b Reviewed-on: https://chromium-review.googlesource.com/1093119 Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Nico Weber <thakis@chromium.org> Commit-Queue: Martin Kreichgauer <martinkr@google.com> Cr-Commit-Position: refs/heads/master@{#565701} [modify] https://crrev.com/e25c04d02eb0d12a48e506dc82df9c421f8203a7/DEPS [modify] https://crrev.com/e25c04d02eb0d12a48e506dc82df9c421f8203a7/build/util/branding.gni [modify] https://crrev.com/e25c04d02eb0d12a48e506dc82df9c421f8203a7/chrome/BUILD.gn [delete] https://crrev.com/66f6e18b48f5d5ab46f7482b792a1c76e88fcac2/chrome/app/entitlements.plist [modify] https://crrev.com/e25c04d02eb0d12a48e506dc82df9c421f8203a7/chrome/app/theme/chromium/BRANDING [modify] https://crrev.com/e25c04d02eb0d12a48e506dc82df9c421f8203a7/chrome/installer/mac/BUILD.gn [modify] https://crrev.com/e25c04d02eb0d12a48e506dc82df9c421f8203a7/chrome/installer/mac/sign_app.sh.in
,
Jun 8 2018
Looks like the downgrade fixed the issue. Happy customer !
,
Jun 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7a8dcd962ec293904554083ba1cbde57ccd7f51c commit 7a8dcd962ec293904554083ba1cbde57ccd7f51c Author: Martin Kreichgauer <martinkr@google.com> Date: Fri Jun 08 19:52:17 2018 Revert "chrome/installer/mac: set -x in sign_app and fix unquoted variable expansion" and "//chrome/installer/mac: add entitlements during code signing" This reverts commits a221822f30fb4ae70dcfac45b581bf95f312b8c0 and b69d8c48da838196d9655402dd739e62227762a7. (cherry picked from commit e25c04d02eb0d12a48e506dc82df9c421f8203a7) Bug: 850890 , 848052 Change-Id: I1b34c71d6522a051abc44a00b43b2466edffe51b Reviewed-on: https://chromium-review.googlesource.com/1093119 Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Nico Weber <thakis@chromium.org> Commit-Queue: Martin Kreichgauer <martinkr@google.com> Cr-Original-Commit-Position: refs/heads/master@{#565701} Reviewed-on: https://chromium-review.googlesource.com/1093547 Cr-Commit-Position: refs/branch-heads/3453@{#4} Cr-Branched-From: 3ca9e6497399c4addabcc06ad20c61fe91a41760-refs/heads/master@{#565531} [modify] https://crrev.com/7a8dcd962ec293904554083ba1cbde57ccd7f51c/build/util/branding.gni [modify] https://crrev.com/7a8dcd962ec293904554083ba1cbde57ccd7f51c/chrome/BUILD.gn [delete] https://crrev.com/86c64a781ada13c42ee92dc159f43f387aaf07c8/chrome/app/entitlements.plist [modify] https://crrev.com/7a8dcd962ec293904554083ba1cbde57ccd7f51c/chrome/app/theme/chromium/BRANDING [modify] https://crrev.com/7a8dcd962ec293904554083ba1cbde57ccd7f51c/chrome/installer/mac/BUILD.gn [modify] https://crrev.com/7a8dcd962ec293904554083ba1cbde57ccd7f51c/chrome/installer/mac/sign_app.sh.in
,
Jun 8 2018
New canary (69.0.3453.3) with revert listed at #31 is in progress. Thank you abdulsyed@ for triggering it.
,
Jun 9 2018
I was able to repro the issue in a local build using a development profile. The issue disappears after changing the signing script to embed the development profile as "embedded.provisionprofile". So I'm basically certain at this point that the filename was indeed the root cause. I didn't catch this previously in local testing because macOS presumably used the development profile I had installed on the machiner as a fallback after finding no profile embedded.
,
Jun 9 2018
Signing successfully completed for Mac canary #69.0.3453.3.
,
Jun 9 2018
69.0.3453.3 is now serving to canary.
,
Jun 11 2018
,
Jun 11 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/installer/mac/internal/+/f1c23897f5236f7e38c3b6792224abe53e906126 commit f1c23897f5236f7e38c3b6792224abe53e906126 Author: Martin Kreichgauer <martinkr@google.com> Date: Mon Jun 11 18:16:43 2018
,
Jun 11 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/src-internal.git/+/ed4c93def9c01f7b12521d3a750390c891ad13a7 commit ed4c93def9c01f7b12521d3a750390c891ad13a7 Author: Martin Kreichgauer <martinkr@google.com> Date: Mon Jun 11 19:29:59 2018
,
Jun 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9ef86399de32a36115886cbd5a406a85f44cf658 commit 9ef86399de32a36115886cbd5a406a85f44cf658 Author: src-internal-chromium-autoroll <src-internal-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Mon Jun 11 23:57:24 2018 Roll src-internal 119a08e0d996..ed4c93def9c0 (1 commits) https://chrome-internal.googlesource.com/chrome/src-internal.git/+log/119a08e0d996..ed4c93def9c0 Created with: gclient setdep -r src-internal@ed4c93def9c0 The AutoRoll server is located here: https://src-internal-chromium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:850890 ,chromium:848052 TBR=mmoss@chromium.org Change-Id: I7f1b91c34b04ba09afc85dfb6f3ee082b9c29e4b Reviewed-on: https://chromium-review.googlesource.com/1096215 Reviewed-by: src-internal-chromium-autoroll <src-internal-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: src-internal-chromium-autoroll <src-internal-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#566209} [modify] https://crrev.com/9ef86399de32a36115886cbd5a406a85f44cf658/DEPS
,
Jun 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4d80b33e7c64069cb69041c4957ea77ecf6e14e8 commit 4d80b33e7c64069cb69041c4957ea77ecf6e14e8 Author: Martin Kreichgauer <martinkr@google.com> Date: Tue Jun 12 01:54:00 2018 Reland "chrome/installer/mac: set -x in sign_app and fix unquoted variable expansion" and "//chrome/installer/mac: add entitlements during code signing" with a fix. This reverts commit e25c04d02eb0d12a48e506dc82df9c421f8203a7 and relands commits a221822f30fb4ae70dcfac45b581bf95f312b8c0 and b69d8c48da838196d9655402dd739e62227762a7 Adds the following changes: (1) In chrome/installer/mac/sign_app.sh.in l62, embed the provisioning profile as "embedded.provisionprofile", rather than "embedded.mobileprovision" (suspected root cause for crbug.com/850890 ). (2) Update DEPS to roll the corresponding reland from chrome/installer/mac/internal. Bug: 850890 , 848052 Change-Id: I3f2134a5d587ec6c3c6e223ec7ef5283a9bece30 Reviewed-on: https://chromium-review.googlesource.com/1095597 Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Nico Weber <thakis@chromium.org> Cr-Commit-Position: refs/heads/master@{#566257} [modify] https://crrev.com/4d80b33e7c64069cb69041c4957ea77ecf6e14e8/build/util/branding.gni [modify] https://crrev.com/4d80b33e7c64069cb69041c4957ea77ecf6e14e8/chrome/BUILD.gn [add] https://crrev.com/4d80b33e7c64069cb69041c4957ea77ecf6e14e8/chrome/app/entitlements.plist [modify] https://crrev.com/4d80b33e7c64069cb69041c4957ea77ecf6e14e8/chrome/app/theme/chromium/BRANDING [modify] https://crrev.com/4d80b33e7c64069cb69041c4957ea77ecf6e14e8/chrome/installer/mac/BUILD.gn [modify] https://crrev.com/4d80b33e7c64069cb69041c4957ea77ecf6e14e8/chrome/installer/mac/sign_app.sh.in |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by pnangunoori@chromium.org
, Jun 8 2018