Git-lfs: Bundling Git LFS into macOS applications does not pass app notarization
Hi,
we bundle Git LFS into our macOS application, so that users can use it directly without having to install via homebrew or otherwise. However, this led to a problem with the app notarization service that Apple will enforce in an upcoming release of macOS.
The application bundle is rejected by the notarization service because Git LFS is linked against an old SDK. All binaries that are bundled in a macOS application must at least be linked against the 10.9 SDK.
Checking the Git LFS binary via otool -l git-lfs returns:
Load command 9
cmd LC_VERSION_MIN_MACOSX
cmdsize 16
version 10.7
sdk 10.7
So it appears to be linked against the 10.7 SDK.
I have no experience related to Go or its toolchain, so my attempts to solve the problem by building Git LFS myself with various environment variables or compiler/linker flags failed (CGO_CFLAGS, extldflags etc). Go itself appears to be linked against this old SDK.
I'd appreciate any insights or help to solve this problem and I suggest providing prebuilt binaries that are linked against a newer SDK.
heikowitte
>All comments
Hey, thanks for an interesting problem to solve. It does appear that Go explicitly specifies a version of 10.7 when linking internally.
If you want to build Git LFS yourself, you can run make CGO_CFLAGS="-mmacosx-version-min=10.10" CGO_LDFLAGS="-mmacosx-version-min=10.10" BUILTIN_LD_FLAGS="-linkmode external", which will use external linking and link against version 10.10, with the SDK set to whatever version you're running. On my laptop, which is currently on High Sierra, I got warnings when specifying 10.9, but not with 10.10.
I don't think we have any plans currently to set this ourselves, since we don't sign binaries on macOS, and passing those flags would probably prevent building for Mac on non-Mac platforms (which we don't currently do, but might in the future).
Feel free to reach out if you have any additional questions.
bk2204
on 31 Oct 2018
Related issues
Vdragon
路
3Comments
panpan0000
路
3Comments
jsilverman-blispay
路
4Comments
kaixin-bai
路
3Comments
matheussampaio
路
4Comments
Most helpful comment
Hey, thanks for an interesting problem to solve. It does appear that Go explicitly specifies a version of 10.7 when linking internally.
If you want to build Git LFS yourself, you can run
make CGO_CFLAGS="-mmacosx-version-min=10.10" CGO_LDFLAGS="-mmacosx-version-min=10.10" BUILTIN_LD_FLAGS="-linkmode external", which will use external linking and link against version 10.10, with the SDK set to whatever version you're running. On my laptop, which is currently on High Sierra, I got warnings when specifying 10.9, but not with 10.10.I don't think we have any plans currently to set this ourselves, since we don't sign binaries on macOS, and passing those flags would probably prevent building for Mac on non-Mac platforms (which we don't currently do, but might in the future).
Feel free to reach out if you have any additional questions.