[Interest] notarizing builds for Mac - enabling hardened runtime
Elvis Stansvik
elvstone at gmail.com
Sat Jun 22 16:44:49 CEST 2019
Den lör 22 juni 2019 kl 01:14 skrev Hamish Moffatt <hamish at risingsoftware.com>:
>
> On 21/6/19 9:13 pm, Elvis Stansvik wrote:
>
> Den fre 21 juni 2019 09:13Kai Köhne <Kai.Koehne at qt.io> skrev:
>>
>>
>> For the time being, it seems you've to execute the codesign call yourself.
>
>
> This is what I've done at work to prepare our builds for this. We use CMake though and we're already running codesign manually.
>
> Great, we are already running codesign ourselves (as we add some other frameworks post-macdeployqt), so adding the extra parameter is no big deal.
>
>
>
> The notarization is annoying and takes around 5 minutes for Apple to run their virus scanners or whatever they're doing, so at the moment we're doing it only on Git-tagged CI builds (releases), not on every commit. What this gives us currently is that the macOS "do you want to run this" prompt will say "Was scanned by Apple on blah blah and found to look good" or something.
>
> Will be more annoying if/when macOS starts to demand notarized builds, because then we'd need to do notarization of every commit, or force testers that wants to test a random build to turn off that checking (which I assume is still going to be possible through System Preferences).
>
>
> https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution says that it will be required on 10.15. Hopefully this will be easy to disable for our testers as we don't want to notarize the daily builds. Otherwise are uploading half a Gb of packages and then waiting for them to be checked each time.
>
> Do you know if it's sufficient to notarize the final .dmg or .pkg, or do you have to separately notarize and staple the .app before it is packaged? I haven't been able to find a good answer yet. But the Apple check is complaining about files inside my .app inside my .pkg, so I guess it will be sufficient to do the final .pkg.
We send just the .dmg for notarization and staple it to that. It's enough.
Elvis
>
>
> Hamish
More information about the Interest
mailing list