[Interest] notarizing builds for Mac - enabling hardened runtime
elvstone at gmail.com
Wed Jul 10 13:55:04 CEST 2019
Den ons 10 juli 2019 kl 13:20 skrev Andy <asmaloney at gmail.com>:
> It sounds like not signing at all is still an option?
Yes, I guess not signing our builds (except releases), and asking
testers to use Ctrl-click + "Open" instead of double-clicking, is what
we'll do as a workaround, if it turns out there's no way for a user to
launch a signed build without it being notarized.
It's just a bit of awkward, I sort of liked how we had set up our CI
so that every build is essentially built like it was a release (well,
with the exception of this notarization, which we only do on tagged
releases due to the time it takes).
> "Mac apps, installer packages, and kernel extensions that are signed with Developer ID must also be notarized by Apple in order to run on macOS Catalina."
> Apple has made this way too complicated to be useful IMHO.
Yes, and it doesn't help that the notarization process is rather slow.
Oh well, one only has to accept it.
> Andy Maloney // https://asmaloney.com
> twitter ~ @asmaloney
> On Wed, Jul 10, 2019 at 5:28 AM Elvis Stansvik <elvstone at gmail.com> wrote:
>> Den tis 9 juli 2019 kl 19:57 skrev Adam Light <aclight at gmail.com>:
>> > On Fri, Jun 21, 2019 at 12:13 AM Kai Köhne <Kai.Koehne at qt.io> wrote:
>> >> I understand that the "hardened runtime" enabling happens at codesign time,
>> >> so this should arguably be a feature of macdeployqt. It's not there yet though,
>> >> at least according to https://bugreports.qt.io/browse/QTBUG-71291 . If you're
>> >> right that this will become mandatory for macOS 10.15, it arguably get a higher
>> >> priority; feel free to comment, including a link to the source of this statement.
>> >> For the time being, it seems you've to execute the codesign call yourself.
>> > Notarization is a requirement for macOS 10.15 (Catalina, currently in beta). See https://developer.apple.com/news/?id=06032019i for an official source of this requirement. In one of the WWDC 2019 talks about security and code signing/notarization, they mentioned that this was true for applications built (or maybe it's signed) after some date in early June. For example, Qt 4.9.2, released June 26, 2019, will not run on Catalina beta 3 without knowing how to work around the notarization requirement.
>> With "work around" do you mean from the user POV (e.g. somehow
>> disabling Gatekeeper, or Ctrl+Open, or something else) or from a
>> developer POV (so, having to notarize)?
>> I'd like to know if there is some reasonably simple way for users to
>> get around the requirement. We will not be able to notarize every
>> build we do, because of the time it takes. But at the same time we,
>> and our testers, must be able to test random builds from Git (we build
>> a .dmg for every commit) to try out in-progress features/bug fixes...
>> So I really hope there will be some way for the user to get around the
>> notarization requirement.
>> > Note also that notarization is separate from hardened runtime. An application built with the 10.14 SDK or later must enable hardened runtime in order for it to be possible to notarize the application, but it is possible to notarize applications built with previous SDK versions for which hardened runtime did not exist.
>> > See my comment at https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111 for some links that are particularly helpful in describing all of the complexities involved in notarization and hardened runtime.
>> > Adam
>> > _______________________________________________
>> > Interest mailing list
>> > Interest at qt-project.org
>> > https://lists.qt-project.org/listinfo/interest
>> Interest mailing list
>> Interest at qt-project.org
More information about the Interest