[Interest] notarizing builds for Mac - enabling hardened runtime
Vadim Peretokin
vperetokin at gmail.com
Thu Jul 11 06:49:26 CEST 2019
Thanks for this - mind pasting it as a gist for easy access?
On Wed, Jul 10, 2019 at 9:59 PM Elvis Stansvik <elvstone at gmail.com> wrote:
> Den ons 10 juli 2019 kl 21:44 skrev Elvis Stansvik <elvstone at gmail.com>:
> >
> > Den ons 10 juli 2019 kl 21:20 skrev Adam Light <aclight at gmail.com>:
> > >
> > >
> > >
> > > On Wed, Jul 10, 2019 at 2:28 AM Elvis Stansvik <elvstone at gmail.com>
> wrote:
> > >>
> > >>
> > >> With "work around" do you mean from the user POV (e.g. somehow
> > >> disabling Gatekeeper, or Ctrl+Open, or something else) or from a
> > >> developer POV (so, having to notarize)?
> > >>
> > >
> > > Instead of repeating myself here, please see my comment at
> https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111
> which explains what I mean by "work around". I just added screen shots of
> the dialogs I mentioned in that comment so it's clear what the user sees.
> > >
> > >>
> > >> I'd like to know if there is some reasonably simple way for users to
> > >> get around the requirement. We will not be able to notarize every
> > >> build we do, because of the time it takes. But at the same time we,
> > >> and our testers, must be able to test random builds from Git (we build
> > >> a .dmg for every commit) to try out in-progress features/bug fixes...
> > >> So I really hope there will be some way for the user to get around the
> > >> notarization requirement.
> > >
> > >
> > > Notarization doesn't take more than a few minutes (in my limited
> experience) but it's a hassle to script the process. Your build machines
> and possibly your testers will not need to have a notarized application
> because, as I understand it, notarization is not required if the
> application does not have a quarantine flag. If it's been downloaded via a
> standard web browser, it should have the flag. But if it was built on the
> machine, or if it was transferred from another machine using something like
> curl, rsync, etc. then it is unlikely to have the quarantine flag.
> >
> > Yes, looking at our last tagged release build, the notarization step
> > took 3 minutes 58 seconds.That's a doubling of our normal build time
> > though, which is why we're hesitant to do it on every commit. That,
> > and also I guess Apple don't really want people doing this anyway.
> >
> > Our testers normally pull the build artifacts using their web browser,
> > so the downloaded .dmg will be quarantined. We could tell them to curl
> > it of course, but we'd like to keep it as simple as possible for them
> > to test a feature/bugfix in progress, and asking them to use a
> > dedicated download tool goes against that.
> >
> > Scripting the notarization wasn't the painful thing. I made a quick
> > Python script that does it, and it has worked fine since then. What
>
> This is the snippet, in case someone else finds it useful (note that
> the --primary-bundle-id flag to altool is hard-coded in the script, so
> you'll want to edit that):
>
> #!/usr/bin/env python3
> #
> # Notarize a file
> #
> # Usage: notarize-macos.py <Apple ID username> <Apple ID password> <file>
> #
>
> from argparse import ArgumentParser
> from subprocess import check_output
> from plistlib import loads
> from time import sleep
>
>
> def main():
> parser = ArgumentParser()
> parser.add_argument('username', help='Apple ID user')
> parser.add_argument('password', help='Apple ID password')
> parser.add_argument('path', help='File to be notarized (e.g. .dmg)')
> args = parser.parse_args()
>
> print('requesting notarization of {}...'.format(args.path))
>
> request_uuid = loads(check_output([
> 'xcrun',
> 'altool',
> '--notarize-app',
> '--primary-bundle-id', 'com.yourdomain.yourapp.dmg',
> '--username', args.username,
> '--password', args.password,
> '--file', args.path,
> '--output-format', 'xml'
> ]))['notarization-upload']['RequestUUID']
>
> for i in range(200):
> response = loads(check_output([
> 'xcrun',
> 'altool',
> '--notarization-info', request_uuid,
> '--username', args.username,
> '--password', args.password,
> '--output-format', 'xml'
> ]))
> if response['notarization-info']['Status'] == 'success':
> print('notarization succeeded, see
> {}'.format(response['notarization-info']['LogFileURL']))
> print('stapling notarization to {}'.format(args.path))
> print(check_output(['xcrun', 'stapler', 'staple',
> args.path]).decode('utf-8'))
> return
> if response['notarization-info']['Status'] == 'invalid':
> raise RuntimeError('notarization failed, response
> was\n{}'.format(response))
> sleep(3)
>
> raise RuntimeError('notarization timed out, last response
> was\n{}'.format(response))
>
>
> if __name__ == '__main__':
> main()
>
> > bothers me is if it will make it harder for our testers. I wish Apple
> > could state clearly whether the user will be allowed to override this
> > check (à la Ctrl-click -> Open instead of doubleclicking, which you
> > can use to bypass certificate verification).
> >
> > Elvis
> >
> > >
> > > Of course, it is possible that in the future the quarantine flag will
> not control whether the notarization check happens, so what I said in the
> paragraph above may change.
> > >
> > > Adam
> > >
> > > _______________________________________________
> > > Interest mailing list
> > > Interest at qt-project.org
> > > https://lists.qt-project.org/listinfo/interest
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190711/ac6245db/attachment.html>
More information about the Interest
mailing list