[Interest] notarizing builds for Mac - enabling hardened runtime
hamish at risingsoftware.com
Sat Jun 22 01:14:50 CEST 2019
On 21/6/19 9:13 pm, Elvis Stansvik wrote:
> Den fre 21 juni 2019 09:13Kai Köhne <Kai.Koehne at qt.io
> <mailto:Kai.Koehne at qt.io>> skrev:
> For the time being, it seems you've to execute the codesign call
> This is what I've done at work to prepare our builds for this. We use
> CMake though and we're already running codesign manually.
Great, we are already running codesign ourselves (as we add some other
frameworks post-macdeployqt), so adding the extra parameter is no big deal.
> The notarization is annoying and takes around 5 minutes for Apple to
> run their virus scanners or whatever they're doing, so at the moment
> we're doing it only on Git-tagged CI builds (releases), not on every
> commit. What this gives us currently is that the macOS "do you want to
> run this" prompt will say "Was scanned by Apple on blah blah and found
> to look good" or something.
> Will be more annoying if/when macOS starts to demand notarized builds,
> because then we'd need to do notarization of every commit, or force
> testers that wants to test a random build to turn off that checking
> (which I assume is still going to be possible through System Preferences).
says that it will be required on 10.15. Hopefully this will be easy to
disable for our testers as we don't want to notarize the daily builds.
Otherwise are uploading half a Gb of packages and then waiting for them
to be checked each time.
Do you know if it's sufficient to notarize the final .dmg or .pkg, or do
you have to separately notarize and staple the .app before it is
packaged? I haven't been able to find a good answer yet. But the Apple
check is complaining about files inside my .app inside my .pkg, so I
guess it will be sufficient to do the final .pkg.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Interest