Add MacOS notarization support #3725
Conversation
mbacchi
requested review from
simonhong,
mkarolin,
bsclifton,
jhreis and
mihaiplesa
| ] | ||
| } | ||
|
|
||
| -_packaging_dir = "$root_out_dir/$chrome_product_full_name Packaging" |
There was a problem hiding this comment.
what is the purpose of this change?
There was a problem hiding this comment.
In order to change the path of the packaging directory to have underscores rather than spaces in the directory name.
There was a problem hiding this comment.
I understand what it's doing, but why do we need to do that?
| @property | ||
| def packaging_dir(self): | ||
| """Returns the path to the packaging and installer tools.""" | ||
| - return '{.product} Packaging'.format(self) |
There was a problem hiding this comment.
same as above, why are we changing this path?
| '--volname', config.app_product, | ||
| '--icon', os.path.join(packaging_dir, icon_file), | ||
| '--copy', '{}:/'.format(app_path), | ||
| - '--copy', |
There was a problem hiding this comment.
why do we need to remove this?
There was a problem hiding this comment.
The keystone_install.sh part of the command isn't copied or called, leaving it in caused a build break during my testing.
There was a problem hiding this comment.
where did it break? Can we remove it later or use a dummy script just to satisfy the copy? We need to find other ways to avoid patches like this
There was a problem hiding this comment.
OK so we can do a touch (to create blank files for keystone_install and chrome_dmg_background.png) and then remove it before packaging
| notarize.staple(package_path) | ||
| + else: | ||
| + # Copy the notarized app to the orig_paths.output dir where the user expects it. | ||
| + commands.copy_files(dest_dir, orig_paths.output) |
There was a problem hiding this comment.
we can copy files in a separate target after the signing
There was a problem hiding this comment.
In the brave/build/mac/BUILD.gn file, I output signed .dmg/.pkg files into the signed subdir, then I notarize them from that subdir, and add a directory that outputs the notarized .dmg/.pkg files. This also allows us to avoid a duplicate outputs error in GN because if notarization is not being done, we want the same file names to be created in the src/out/Release output directory whether only signing is requested or also if notarization is requested. To work around that I use the copy_dmg_pkg target to determine which files to copy to the output directory, depending on whether notarize is defined.
There was a problem hiding this comment.
Can't you just use a different directory to avoid the duplicate outputs? Or better yet, why don't we just plug our own notarize.py into the python path and use the existing calls with do_notarization enabled?
If we did need to keep the patch for some reason we never add comments in patches and there's no reason for the else because in this case we know that do_notarization is false. When we do have to patch files the patches should be as small as possible.
There was a problem hiding this comment.
and actually it's not clear to me how this solves the problem anyway because now this target needs to specify the outputs that the copy would have
There was a problem hiding this comment.
@bridiver can we keep this as-is for now? I believe because we use --disable-packaging (to set custom icons, path to install location (/Applications/ etc)). We could follow up on this later (I can create an issue and @mbacchi can make sure it's tracked in the regular Devops meeting). Since this works as-is, this would eat some time
There was a problem hiding this comment.
it actually doesn't work as-is. It breaks gn's ability to known when things need to be updated because this script no longer specifies the correct outputs
There was a problem hiding this comment.
the other target that has the same output won't necessarily run when it should now
| Returns: | ||
| Path to the packaging directory. | ||
| """ | ||
| - return os.path.join(self.input, '{} Packaging'.format(config.product)) |
There was a problem hiding this comment.
same as above, why are we adding underscores everywhere?
There was a problem hiding this comment.
I couldn't make GN call the build/mac/notarize_dmg_pkg.py script (as an action) with an argument that contained spaces (i.e. Brave Browser Nightly Packaging). It needs the packaging directory as the argument --pkgdir which failed with spaces.
There was a problem hiding this comment.
there shouldn't be any problem with spaces, you just need to quote it properly. Can you link me to the gn target where you are using it?
There was a problem hiding this comment.
It is used specifically as an argument to the notarize_dmg_pkg.py script here: https://github.com/brave/brave-core/pull/3725/files#diff-39842cb5e3be671a7dd386e445aca164R328
| @@ -0,0 +1,153 @@ | |||
| #!/usr/bin/env python | |||
There was a problem hiding this comment.
was this copied from chrome? It looks like it was and I'm curious why, but also we can't copy a chromium file and use our own copyright. That's a violation of their copyright
There was a problem hiding this comment.
No, it merges the brave/script/signing_helper.py create_config section with the notarization calls from chrome/installer/mac/signing/pipeline.py, but otherwise it is not copied from Chromium.
There was a problem hiding this comment.
if it includes any copied chromium code we should include their copyright notice as well
There was a problem hiding this comment.
@bridiver only a few lines are similar to the Chromium one, the rest is all ours- it's def not copied. Looks good to me 👍
We could reference the area which has similarities and say something like "Logic based on Chromium one at src/components/blah/installer/" to attribute it
There was a problem hiding this comment.
this file is also in the wrong place. Scripts should go in the scripts directory
| ] | ||
| } | ||
|
|
||
| copy("copy_notarize_script") { |
There was a problem hiding this comment.
why are we copying the script?
There was a problem hiding this comment.
In order to run it from the packaging directory where the chrome/installer/mac/signing Python modules have been copied. If we ran it out of the brave/build/mac directory those Python modules aren't accessible to be imported.
There was a problem hiding this comment.
copying the file doesn't change where it runs from and it shouldn't be in build/mac in the first place. The scripts go in brave/scripts and they work just fine there
There was a problem hiding this comment.
I guess chrome also does this for some reason so don't worry about it for now
| provisioning_profile = "//brave/build/mac/dummy.provisionprofile" | ||
| } | ||
|
|
||
| script = "$packaging_dir/notarize_dmg_pkg.py" |
There was a problem hiding this comment.
(per Zoom review) Can we do the rebase_path on this too?
There was a problem hiding this comment.
well crap. @bridiver given this, I'd like to propose we keep the underscores in right now- but create a follow up issue and prioritize it on the Devops board
There was a problem hiding this comment.
I tried a few invocations of this:
rebase_path("$packaging_dir/notarize_dmg_pkg.py") a well as rebase_path("notarize_dmg_pkg.py", "$packaging_dir") but in both cases I get the error:
python ../../brave/build/mac/notarize_dmg_pkg.py ...
Traceback (most recent call last):
File "../../brave/build/mac/notarize_dmg_pkg.py", line 27, in <module>
from signing import config, commands, model, notarize, pipeline, signing # noqa: E402
ImportError: No module named signing
This shows that its running the python script from the root_build_dir rather than the $packaging_dir. I think the first argument to the python interpreter in an action() target is the script but having spaces in the python script path may not be supported. I haven't seen any examples of this in the Brave or Chromium codebase after a little searching.
There was a problem hiding this comment.
I think this is a good v1 attempt; there are two things called out which we could do in follow ups:
- Reduce patch size in
patches/chrome-installer-mac-signing-pipeline.py.patch; we can do atouchand let the script copy an empty background/keystone script and then remove at a later point - Get rid of the underscores for the action (if possible). This might mean reworking things to try use more of what Chrome has in place already (which could be tough; since we do
--disable-packaging)
mihaiplesa
force-pushed
the
issue_5177
branch
from
f2b2a7c
to
b228ea5
Compare
* extend and use GetBraveSigningConfig from signing_helper.py * remove commented out section from create_config * remove check for do_notarization
mihaiplesa
force-pushed
the
issue_5177
branch
from
b3c46db
to
f7a6516
Compare
Fixes issue brave/brave-browser#5177
Related brave/brave-browser#5485
Submitter Checklist:
npm run lint)git rebase master(if needed).git rebase -ito squash commits (if needed).Test Plan:
Reviewer Checklist:
After-merge Checklist:
changes has landed on.