[Interest] notarizing builds for Mac - enabling hardened runtime

Elvis Stansvik elvstone at gmail.com
Wed Jul 10 21:44:44 CEST 2019 

Den ons 10 juli 2019 kl 21:20 skrev Adam Light <aclight at gmail.com>:
>
>
>
> On Wed, Jul 10, 2019 at 2:28 AM Elvis Stansvik <elvstone at gmail.com> wrote:
>>
>>
>> With "work around" do you mean from the user POV (e.g. somehow
>> disabling Gatekeeper, or Ctrl+Open, or something else) or from a
>> developer POV (so, having to notarize)?
>>
>
> Instead of repeating myself here, please see my comment at https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111 which explains what I mean by "work around". I just added screen shots of the dialogs I mentioned in that comment so it's clear what the user sees.
>
>>
>> I'd like to know if there is some reasonably simple way for users to
>> get around the requirement. We will not be able to notarize every
>> build we do, because of the time it takes. But at the same time we,
>> and our testers, must be able to test random builds from Git (we build
>> a .dmg for every commit) to try out in-progress features/bug fixes...
>> So I really hope there will be some way for the user to get around the
>> notarization requirement.
>
>
> Notarization doesn't take more than a few minutes (in my limited experience) but it's a hassle to script the process. Your build machines and possibly your testers will not need to have a notarized application because, as I understand it, notarization is not required if the application does not have a quarantine flag. If it's been downloaded via a standard web browser, it should have the flag. But if it was built on the machine, or if it was transferred from another machine using something like curl, rsync, etc. then it is unlikely to have the quarantine flag.

Yes, looking at our last tagged release build, the notarization step
took 3 minutes 58 seconds.That's a doubling of our normal build time
though, which is why we're hesitant to do it on every commit. That,
and also I guess Apple don't really want people doing this anyway.

Our testers normally pull the build artifacts using their web browser,
so the downloaded .dmg will be quarantined. We could tell them to curl
it of course, but we'd like to keep it as simple as possible for them
to test a feature/bugfix in progress, and asking them to use a
dedicated download tool goes against that.

Scripting the notarization wasn't the painful thing. I made a quick
Python script that does it, and it has worked fine since then. What
bothers me is if it will make it harder for our testers. I wish Apple
could state clearly whether the user will be allowed to override this
check (à la Ctrl-click -> Open instead of doubleclicking, which you
can use to bypass certificate verification).

Elvis

>
> Of course, it is possible that in the future the quarantine flag will not control whether the notarization check happens, so what I said in the paragraph above may change.
>
> Adam
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest

More information about the Interest mailing list