Work on CI code signing macOS .app #344
Conversation
xylix
changed the title
I don't know how codesign works for macOS, but since the suggested option is "just do what Xcode does automatically" I doubt we can do anything else. The process for us and Electron apps should be pretty similar, so we could always look at how they do things.
If getting an Apple Developer Program ID will get rid of the stupid warnings and get us a chance at getting ActivityWatch up on the App Store, I think we should just get one.
I can assign whatever secret environment variables that are needed to Travis, you just let me know which ones are needed :) |
|
Keys have been set! You might want to rebase on master once I've merged #347 which fixes CI. |
|
Also, I found this by another open source project which uses PyInstaller and has jumped through the hoops of codesigning with PyInstaller: spesmilo/electrum#4994 |
|
Yeah I'll rebase after #347 . Thanks for the link, looking into it. |
|
I found this comment particularly interesting and relevant to our case: pyinstaller/pyinstaller#3991 (comment) I should add that PyInstaller development is super slow due to funding issues, and I don't expect the PR I linked to get merged anytime soon. |
|
Hm yes that comment does open up the problems and pyinstallers inner workings quite a bit more. The funding problems are quite sad :/ I'll do some testing with little snitch to confirm our signed .app has the same problems. Will also look into using xcode / some other apple tool for finding flaws with our signature method. The pyinstaller 4.0 dev version we are using did have some improvements, but probably nothing related to the appsigning since that PR hasn't gotten merged. |
|
If the PR not getting merged is an issue, we could always just fork PyInstaller and merge the needed changes ourselves. |
|
True. Now doing some research, I think what ccualianu is talking about in pyinstaller/pyinstaller#3991 (comment) : "When PyInstaller executes it writes to a tmp dir in $TMP/_MEIxxx. It extracts a bunch of the binaries packaged into your app there and then executes your app AGAIN from there." is only related to this setting https://pyinstaller.readthedocs.io/en/stable/usage.html#rarely-used-special-options or the other single-fileish option in pyinstaller, https://pyinstaller.readthedocs.io/en/stable/usage.html#using-upx . Since we aren't using either, I don't think our pyinstaller executables are creating temporary environments that would require additional code signing work. On my computer I could confirm that aw-qt is indeed starting from within the .app directory, and not from some temp dir.
So yeah, It seems like our signing should be fine for now altough the notarization is still a question mark. I'll rebase master now and work on getting CI signing working for this PR. |
xylix
force-pushed
the
dev/sign-macos-travis
branch
from
c9c9f8f
to
d0a7233
Compare
xylix
force-pushed
the
dev/sign-macos-travis
branch
5 times, most recently
from
dd419b5
to
4ade2c0
Compare
Fix travis warnings, cleanup is now disabled by default. Rename some keys which travis was aliasing anyway Fixes for macOS signing Add osx signing keys in before_install step try fixing macos-signing script and makefile command. Add warning for running it locally Move import-macos-cert script to scripts/ci Increase macOS signing tool verbosity
xylix
force-pushed
the
dev/sign-macos-travis
branch
from
4ade2c0
to
f6fa30c
Compare
xylix
force-pushed
the
dev/sign-macos-travis
branch
2 times, most recently
from
c4b328e
to
717144d
Compare
|
If we want to properly notarize the app I found these which may be useful:
|
| @@ -113,7 +114,7 @@ deploy: | |||
| - provider: releases | |||
| file_glob: true | |||
| file: dist/activitywatch-*.* | |||
| api_key: | |||
| token: | |||
There was a problem hiding this comment.
IIRC this was just because the .travis linter was complaining about the older api_key key. Completely fine to leave this out from this PR
ErikBjare
changed the title
|
I'm thinking through what would be needed to get this merged.
|
|
Merged in master, hoping for the best. |
|
Out of credits on Travis... Apparently, macOS builds use up 5x the amount of credits compared to Linux builds:
|
|
@xylix Do you still have the I need to set them for GitHub Actions so we can move away from Travis. You can email them to me, encrypted with my PGP key. |
|
@xylix I registered for an Apple Developer account myself (and paid the $99 yearly fee), so no need to find the keys anymore. Once the application has processed, and I can codesign with my own keys, I'll try and get this PR merged. |
|
Okay great! Sorry for the latency in responding. I had the key files, but looking up how to make them into environment variables again takes some time. The article linked here https://github.com/ActivityWatch/activitywatch/pull/344/files#diff-af847b68547d3e6ddc481fb5b2c492cb112ea7245a5538d363db63ba3b6936a9R2 seems helpful. |
|
Just realized this only codesigns the |
|
Merging this into the dev/macos-sign-and-notarize branch |
Changes were made mostly with these instructions . There's still a couple questionmarks, mostly about notarization and how the --deep flag is considered a bad practice and is there anything we could do with a pyinstaller .app about it to get rid of the need.
Also I am unsure how far using a self-signed unofficial cert will allow us to get, and at what point we will need the Apple Developer Program Id. At least before publishing in App store, for sure.
For these changes to properly work, we will need to add a certificate to the travis environment variables as a Base 64 string. The key for the cert (CERTIFICATE_OSX_P12) is defined in the new scripts/sign-macos.sh script, and the format has to be .p12. Also we will need to define a CERTIFICATE_PASSWORD env var to open the certificate securely.
I have a self-signed .p12 with a password set on my device, but I don't have travis access. @ErikBjare Any suggestions on how should I securely deliver the key or could you generate one on the mac you have access to and upload it to travis? (it's a relatively simple process, probably takes about 15-30 minutes.)