[Interest] notarizing builds for Mac - enabling hardened runtime

Elvis Stansvik elvstone at gmail.com
Wed Jul 10 21:58:38 CEST 2019


Den ons 10 juli 2019 kl 21:44 skrev Elvis Stansvik <elvstone at gmail.com>:
>
> Den ons 10 juli 2019 kl 21:20 skrev Adam Light <aclight at gmail.com>:
> >
> >
> >
> > On Wed, Jul 10, 2019 at 2:28 AM Elvis Stansvik <elvstone at gmail.com> wrote:
> >>
> >>
> >> With "work around" do you mean from the user POV (e.g. somehow
> >> disabling Gatekeeper, or Ctrl+Open, or something else) or from a
> >> developer POV (so, having to notarize)?
> >>
> >
> > Instead of repeating myself here, please see my comment at https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111 which explains what I mean by "work around". I just added screen shots of the dialogs I mentioned in that comment so it's clear what the user sees.
> >
> >>
> >> I'd like to know if there is some reasonably simple way for users to
> >> get around the requirement. We will not be able to notarize every
> >> build we do, because of the time it takes. But at the same time we,
> >> and our testers, must be able to test random builds from Git (we build
> >> a .dmg for every commit) to try out in-progress features/bug fixes...
> >> So I really hope there will be some way for the user to get around the
> >> notarization requirement.
> >
> >
> > Notarization doesn't take more than a few minutes (in my limited experience) but it's a hassle to script the process. Your build machines and possibly your testers will not need to have a notarized application because, as I understand it, notarization is not required if the application does not have a quarantine flag. If it's been downloaded via a standard web browser, it should have the flag. But if it was built on the machine, or if it was transferred from another machine using something like curl, rsync, etc. then it is unlikely to have the quarantine flag.
>
> Yes, looking at our last tagged release build, the notarization step
> took 3 minutes 58 seconds.That's a doubling of our normal build time
> though, which is why we're hesitant to do it on every commit. That,
> and also I guess Apple don't really want people doing this anyway.
>
> Our testers normally pull the build artifacts using their web browser,
> so the downloaded .dmg will be quarantined. We could tell them to curl
> it of course, but we'd like to keep it as simple as possible for them
> to test a feature/bugfix in progress, and asking them to use a
> dedicated download tool goes against that.
>
> Scripting the notarization wasn't the painful thing. I made a quick
> Python script that does it, and it has worked fine since then. What

This is the snippet, in case someone else finds it useful (note that
the --primary-bundle-id flag to altool is hard-coded in the script, so
you'll want to edit that):

#!/usr/bin/env python3
#
# Notarize a file
#
# Usage: notarize-macos.py <Apple ID username> <Apple ID password> <file>
#

from argparse import ArgumentParser
from subprocess import check_output
from plistlib import loads
from time import sleep


def main():
    parser = ArgumentParser()
    parser.add_argument('username', help='Apple ID user')
    parser.add_argument('password', help='Apple ID password')
    parser.add_argument('path', help='File to be notarized (e.g. .dmg)')
    args = parser.parse_args()

    print('requesting notarization of {}...'.format(args.path))

    request_uuid = loads(check_output([
        'xcrun',
        'altool',
        '--notarize-app',
        '--primary-bundle-id', 'com.yourdomain.yourapp.dmg',
        '--username', args.username,
        '--password', args.password,
        '--file', args.path,
        '--output-format', 'xml'
    ]))['notarization-upload']['RequestUUID']

    for i in range(200):
        response = loads(check_output([
            'xcrun',
            'altool',
            '--notarization-info', request_uuid,
            '--username', args.username,
            '--password', args.password,
            '--output-format', 'xml'
        ]))
        if response['notarization-info']['Status'] == 'success':
            print('notarization succeeded, see
{}'.format(response['notarization-info']['LogFileURL']))
            print('stapling notarization to {}'.format(args.path))
            print(check_output(['xcrun', 'stapler', 'staple',
args.path]).decode('utf-8'))
            return
        if response['notarization-info']['Status'] == 'invalid':
            raise RuntimeError('notarization failed, response
was\n{}'.format(response))
        sleep(3)

    raise RuntimeError('notarization timed out, last response
was\n{}'.format(response))


if __name__ == '__main__':
    main()

> bothers me is if it will make it harder for our testers. I wish Apple
> could state clearly whether the user will be allowed to override this
> check (à la Ctrl-click -> Open instead of doubleclicking, which you
> can use to bypass certificate verification).
>
> Elvis
>
> >
> > Of course, it is possible that in the future the quarantine flag will not control whether the notarization check happens, so what I said in the paragraph above may change.
> >
> > Adam
> >
> > _______________________________________________
> > Interest mailing list
> > Interest at qt-project.org
> > https://lists.qt-project.org/listinfo/interest


More information about the Interest mailing list