Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apple notarization must be passed and app bundle must be signed #218

Open
angryziber opened this issue Dec 26, 2019 · 13 comments
Open

Apple notarization must be passed and app bundle must be signed #218

angryziber opened this issue Dec 26, 2019 · 13 comments

Comments

@angryziber
Copy link
Collaborator

angryziber commented Dec 26, 2019

Apple will restrict running non-AppStore software on Macs from February 2019 unless it has passed 'notarization'.

Ideally, travis-ci should be used for automatic sending of binaries to Apple on new releases, as it can only be done from OS X.

Apple has provided this info:

"You can notarize and sign from the terminal on a Mac (using codesign and xcrun altool) or by ssh’ing into a Mac."

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?preferredLanguage=occ

@kstarsinic
Copy link

I'd be interested in handling the Mac-specific issues. I'm looking at getting a clean build that passes all unit tests on Mac right now, and I'll submit a pull request when that's ready.

@angryziber
Copy link
Collaborator Author

angryziber commented Feb 28, 2020 via email

@angryziber
Copy link
Collaborator Author

Here is an example how to do it using github actions:
https://github.com/mifi/lossless-cut/blob/master/.github/workflows/build.yml

@thepony
Copy link

thepony commented Mar 12, 2020

If you are still looking for someone to assist with the Mac side, or a second Mac user to assist let me know. I run both MacBooks and a MacPro at the house and have Mac users on my network and do IT full time as a Net/SysAdmin.

@angryziber
Copy link
Collaborator Author

@thepony yes, sure. Can you tell what is the current situation without notarization on Catalina? Does it refuse to run Angry IP Scanner?

@angryziber angryziber changed the title Apple notarization must be passed before February 2019 Apple notarization must be passed before February 2020 Mar 12, 2020
@thepony
Copy link

thepony commented Mar 12, 2020

Actually running the program is easy simple, even without notarization, as is with many apps. As I am sure you know that OS X is based on FreeBSD (albeit the Cadillac version), A user that has admin/sudo rights on the system can bypass. After unzipping on Catilina (and versions before), Hold control while right-clicking or using two-finger click and select Open. You will get a different message from just right cloick and open, where you are prompted that the item is not registered with Apple, and asks if you are still willing to open the application. Select Open and it will remember your choice when you run it again. I did just test this on a MacBook Pro and had no issues.

@amcgregor
Copy link

amcgregor commented Mar 16, 2020

Right-click, Open (without modifiers needed beyond ⌃+Click itself to open the right-click menu if no second mouse button is present) is an explicit, intentional action indicating to the OS that execution of the unsigned/un-notarized binary is desired. Upon clicking the "Open" action in the confirmation prompt, the OS will self-notarize the binary for subsequent use. Double-clicking an .app bundle, ⌘+down opening, or invocation via open in the terminal, these are easy ways for anyone to launch an app, not just the user. Finder right-click menu is… "more trustworthy".

This is a similar issue I've had with certain QuickLook plugins. Brew install them, the OS starts complaining about the module being downloaded from the internet and untrusted. Even though it's not directly an executable application, dig the .qlgenerator out of ~/Library/QuickLook, right-click, Open, confirm. Nothing will open, but now it's signed, and the Spotlight indexing service attempting to use it will stop complaining.

Edit: of course, actual signing will help avoid the "scary confirmation dialog". ("All software" is no longer an option under Security preferences, only App Store and Signed by Developer.)

@angryziber angryziber changed the title Apple notarization must be passed before February 2020 Apple notarization must be passed and app bundle must be signed Mar 17, 2020
@angryziber
Copy link
Collaborator Author

@thepony @amcgregor thanks for info, so it's not that critical so far if the app can still be run.

I tried passing notarization from the CI build, but it failed for now. It seems the app should be signed first, but I am not sure yet if I can do that without paying Apple $100

@BSVogler
Copy link

Hey, maybe I can help. I am a registered apple developer.

BTW the URL in the link to this issue is broken.

@616E64726173
Copy link

you will have to pay the ghost of steve jobs $100 or he will not let you cross his bridge.

@kstarsinic
Copy link

That's great! Which problems are having with tests? GitHub actions CI is verifying Mac builds as well as other platforms...

All GUI-based tests were failing. This was worked around via 0db30a9 (thanks, @angryziber!); it seems that there will be no actual fix on the Mac without a Gradle change that seems to be a low priority.

@John-Mc
Copy link

John-Mc commented May 4, 2020

Actually running the program is easy simple, even without notarization, as is with many apps. As I am sure you know that OS X is based on FreeBSD (albeit the Cadillac version), A user that has admin/sudo rights on the system can bypass. After unzipping on Catilina (and versions before), Hold control while right-clicking or using two-finger click and select Open. You will get a different message from just right click and open, where you are prompted that the item is not registered with Apple, and asks if you are still willing to open the application. Select Open and it will remember your choice when you run it again. I did just test this on a MacBook Pro and had no issues.

Thanks. That was helpful. Perhaps add this "ctrl+right click" / "ctrl+two-finger-click" to the FAQs page until the issue is resolved?

angryziber added a commit that referenced this issue Sep 9, 2020
@ideologysec
Copy link

There is now a fully-implemented codesign process for Linux using the apple-codesign crate; this might be something that could be done in TravisCI

https://lib.rs/crates/apple-codesign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants