Safari extension distributed in a notarized app with Developer ID rejected by the browser

Question

Created Nov ’20

Replies 14

Boosts 1

Views 4.1k

Participants 15

Hi folks,

We're building a Safari web extension and experiencing an issue to see it among extensions in Safari after installing the container app to /Applications and launching it.

The app and extension is notarized and signed with Developer ID

After an extensive investigation, we found the following log records in the Console app (the extension ID is redacted):

Computing the code signing dictionary failed for extension with identifier com.youcompany.safariext

Blocking extension with identifier: com.youcompany.safariext

To debug the issue, we've created a HelloWorld-like extension generated by Xcode 12.2 beta 4 (http s://sharedartifacts.s3.eu-central-1.amazonaws.com/safariext.app.zip contains a signed app bundle)

It also is under the same code signing issue.

According to https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues, we've run a few checks to verify:

code signature

Code Block ➜  Desktop codesign -vvv --deep --strict ./safariext.app          
...
--prepared:/Users/nikolay/Desktop/safariext.app/Contents/PlugIns/safariext Extension.appex
...
--validated:/Users/nikolay/Desktop/safariext.app/Contents/PlugIns/safariext Extension.appex
...
./safariext.app: valid on disk
./safariext.app: satisfies its Designated Requirement

signing certificate

Code Block ➜  Desktop spctl -vvv --assess --type exec ./safariext.app     
./safariext.app: accepted
source=Notarized Developer ID
origin=Developer ID

secure timestamp

Code Block ...
Timestamp=25 Nov 2020 at 22:23:54
...

We seemed to have all checks good, the extension can be installed only if Safari is allowed to run unsigned extensions.

Could anyone assist to debug/resolve this issue?

Thanks

Answered by Niq in 650402022

I am also interested in this.
Would like to distribute an extension to testers.
MacOS has no TestFlight equivalent.

Boost

Answer 1

Niq OP

Dec ’20

Accepted Answer

I am also interested in this.
Would like to distribute an extension to testers.
MacOS has no TestFlight equivalent.

0

Answer 2

nikolaykh OP

Dec ’20

Niq's post was accidentally marked as a solution.

@Niq

I think you experience a different issues rather than we do. You may want to produce development builds which perfectly work for us.

The case for us is to distribute our extension which is signed with Developer ID and notarized by Apple, but Safari doesn't still recognize as properly signed while it is.

0

Answer 3

andrew-readefine OP

Dec ’20

I'm having this exact issue. I've signed and notarized my extension successfully, but then when I check my Safari extensions, I cannot see my extension until I select to allow unsigned extensions. I'm not sure what's going on, do you think it's the version of Mac/safari/xcode?

0

Answer 4

lemonmojo OP

Dec ’20

Same here... Works fine in development mode but after signing and notarizing it just won't show up in Safari no matter what I try.

I have the very same log messages in Console (kudos on finding them btw!).

0

Answer 5

HongyunZhang OP

Jan ’21

Guys, any progress?

I have the same problem. Someone says that the safari extension can only be distributed through the Mac app store. Can anyone confirm this claim?

0

Answer 6

HongyunZhang OP

Jan ’21

For anyone is here, I'm sure it has to be an extension published by the mac app store to be considered a "signed" extension by safari browser

1

Answer 7

drew.koch OP

Jan ’21

I am having the exact same issue where my Safari extension will not show up if I have archived my app with the Safari extension and tried to distribute it using my Developer ID and have it notarized. Is it true as @HongyunZhang says that it will only work if distributed through the App Store?

0

Answer 8

lng OP

Mar ’21

Hi there, We are experience the exact same issue.

@nikolaykh , Have you found a solution or workaround to this?

Thank you.

0

Answer 9

itayhac OP

Mar ’21

Hi all,

same issue here.
I have signed the safari extension with dev certificate and notarized properly.
the extension does not run until I allow "allow unsigned extensions".

this is crucial, and really blocking us.
any workaround guys?

0

Answer 10

dtheobald OP

Apr ’21

We have the exact same issue with our Safari Web Extension (NSExtensionPointIdentifier = com.apple.Safari.web-extension), but not with our Safari App Extension (NSExtensionPointIdentifier = com.apple.Safari.extension). They are both signed and notarized properly and part of the same install package, yet Safari won't load the Web Extension unless we Allow Unsigned Extensions. As an experiment I've simply changed the Web Extension's Info.plist NSExtensionPointIdentifier value to com.apple.Safari.extension after which Safari loads the extension fine.

As others have reported, I find the following errors in the log:

Code Block ... Computing the code signing dictionary failed for extension with identifier ...
... Blocking extension with identifier: ...

Has anyone discovered a workaround for this?

Thanks

0

Answer 11

thieso2 OP

Apr ’21

I filed a ticket with DTS, and they basically told me that "The behavior and resulting limitations you describe are by design. Safari Web Extensions must be distributed via the AppStore."

I remarked that this behavior is different for Safari App Extensions (old style) that do load and work when the container-app is notarized. I was told this about Safari WebExtensions: "It is not a bug as they were never intended to work outside of the AppStore"

All I could do was to file an Enhancement request.

Personally I still see this inconsistency as a bug.

1

Answer 12

beyera OP

Apr ’21

Distribution to end-users for Safari Web Extensions is limited to the Mac App Store. You can test Safari Web Extensions distributed with a notarized app by using the Allow Unsigned Extensions option from the Develop Menu.

0

Answer 13

guyholl OP

Jan ’24

Hey, Any news regarding this one? I would like to distribute my web extension directly to employees in my organization using MDM without having each user manually enable 'allow unsigned extension' for it to work. Any way to make it work?

2

Answer 14

lu.xu OP

Jan ’24

+1, though Testflight supports MacOS now, it would be better if we can just sign and install Safari webext locally. Safari WebExt is not a typical MacOS app, it is closely coupled with browser. It seems none of the popular test automation framework has the privilege to config the Mac privacy settings and "allow unsigned extension" in Safari developers settings

Compared with for Chromium, Firefox, the test automation is straightforward, this limitation brings a lot of difficulties to the e2e testing.

1