Add notarization support #42
Conversation
|
This is really interesting. Since, if I merge this, people will expect me to support it and fix it when it breaks, I'll need to take a long hard look at it and make sure I really understand it. I have not yet had any need to investigate notarization (and frankly, so far have and almost no internal need for signing) so this is not something I've paid a lot of attention to. |
|
Given that every package built after June 1st requires signing/notarization, I think it would be worth the effort to merge this. |
|
"Given that every package built after June 1st requires signing/notarization" I have not found that to be the case... |
|
Notarization is required for Apps, installers, and KEXTs, documented here for Catalina:
https://developer.apple.com/news/?id=06032019i <https://developer.apple.com/news/?id=06032019i>
Notarization Requirement for Mac Software
June 3, 2019
Mac apps, installer packages, and kernel extensions that are signed with Developer ID must also be notarized by Apple in order to run on macOS Catalina. This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface.
Notarization for 10.14.5 is for new DevIDs and any updated KEXT:
https://developer.apple.com/news/?id=04102019a <https://developer.apple.com/news/?id=04102019a>
New Notarization Requirements
April 10, 2019
We're working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple. With the public release of macOS 10.14.5, we require that all developers creating a Developer ID certificate for the first time notarize their apps, and that all new and updated kernel extensions be notarized as well. This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface.
… On Jun 6, 2019, at 1:57 PM, Erik Gomez ***@***.***> wrote:
Given that every package built after June 1st requires signing, I think it would be worth the effort to merge this.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#42?email_source=notifications&email_token=AAKZYYD35N7KVO34MEIC5RDPZFM2LA5CNFSM4HVBRHIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXD2N2Y#issuecomment-499623659>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAKZYYDZOFFM3TH242VPCZDPZFM2LANCNFSM4HVBRHIA>.
|
|
And yet Munki's Managed Software Center, which is neither signed nor notarized, runs just fine in Catalina. |
I think what that means is unsigned/non-notarized is still OK, but if you're distributing signed pkgs they also need to be notarized to work with Catalina. Will probably affect a small but not insignificant portion of MunkiPkg users. |
|
"I think what that means" is most of the problem here. |
|
I created a signed (but not notarized) pkg containing a signed (but not notarized) MSC.app and installed on a machine running the Catalina beta. I was not prompted or blocked or warned or challenged in any way when installing the pkg, either via |
|
We should ask somebody at Apple what the word "must" means in the above context. Maybe enforcement hasn't been turned on yet (similar to the path UAMDM and kext whitelisting followed in early versions of High Sierra). |
|
I believe starting in beta 2 we may see the enforcement.
Thanks,
Erik Gomez
________________________________
From: Greg Neagle <notifications@github.com>
Sent: Thursday, June 6, 2019 4:57:17 PM
To: munki/munki-pkg
Cc: Erik Gomez; Comment
Subject: Re: [munki/munki-pkg] Add notarization support (#42)
@gregneagle commented on this pull request.
________________________________
In README.md<#42 (comment)>:
+
+The only required keys/values in the notarization dictionary are `username` and `password`:
+
+- `username` is the login email adress of your developer Apple ID.
+- `password` is the 2FA app specific password. For information about the password and saving
+it to the login keychain see the web page [Customizing the Notarization Workflow](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow).
+
+
+Notarization process is described on Apple web page [Customizing the Notarization Workflow](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow).
+
+`munki-pkg` basically runs two commands:
+
+```shell
+xcrun altool --notarize-app --primary-bundle-id "com.github.munki.pkg.munki-kickstart" --username "john.appleseed@apple.com" --password "@keychain:AC_PASSWORD" --file munki_kickstart.pkg
+xcrun stapler staple munki_kickstart.pkg
+```
Error message is incorrect, the flag needed is --asc-provider. The value you need to provide is not immediately obvious and I'll post about that in a bit.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#42?email_source=notifications&email_token=ABLL6GESO6BRNIBBXB3QYQ3PZGB33A5CNFSM4HVBRHIKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOB23GX7Y#discussion_r291387835>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ABLL6GA7JN7NM2NMNNKR7QLPZGB33ANCNFSM4HVBRHIA>.
|
munkipkg
Outdated
| # notarize the pkg | ||
| if "notarization" in build_info and not options.skip_notarization: | ||
| try: | ||
| notarize(build_info, options) |
There was a problem hiding this comment.
In my (brief) testing I'm seeing it take far longer than 120 seconds for stapling to become available, and of course if there are errors in the notarization process it will never become available. Perhaps we should be running xcrun altool --notarization-info {output["notarization-upload"]["RequestUUID"]} periodically waiting for a status .
On status: success proceed to staple, on status: in progress, sleep and try again, on status: invalid (or other error status, print the error (better still, retrieve the log from the LogFileURL) and exit...
I'm not suggesting we get all this in before I'll merge this -- but I think it's needed for a good implementation.
There was a problem hiding this comment.
I can improve this before the merge. I admit current approach is a bit naive. Even mentioned this problem is PR comment.
There was a problem hiding this comment.
Check using altool --notarization-info now implemented in 9a6e0d0. Default timeout increased to 300 seconds.
Not sure about the retrieving the log from LogFileURL though. Currently we display the Status, Status Code, Status Message and LogFileURL after a failed notarization attempt. Log can be a very long json. We could download it and put someplace in the munki-pkg project directory (Perhaps create log directory?).
MichalMMac
force-pushed
the
notarization
branch
2 times, most recently
from
cbf1c3f
to
ee6520c
Compare
|
Added new key |
|
Added big commit 9a6e0d0. After successful upload of the signed package to the Apple notary service Other changes:
There are a lot of fixup commits. When all threads with references to them are resolved I'll squash them using rebase. |
README.md
Outdated
| | username | String | Yes | Login email adress of your developer Apple ID | | ||
| | password | String | Yes | 2FA app specific password. For information about the password and saving it to the login keychain see the web page [Customizing the Notarization Workflow](https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow) | | ||
| | asc_provider | String | No | Only needed when a user account is associated with multiple providers | | ||
| | primary_bundle_id | String | No | Defaults to `identifier`. `primary_bundle_id` is usefull when `identifier` contains characters such as '_' Apple notary service does not like | |
There was a problem hiding this comment.
I think providing this option is fine, but since we know that Apple's notary service does not like underscores in the primary bundle id, if this option is not provided and you/we "auto-generate" the primary bundle id from the pkg id, why don't we automatically substitute hyphens for underscores?
Also: s/usefull/useful/
There was a problem hiding this comment.
Is basic string.replace() like this 81fec0e ok?
There was a problem hiding this comment.
See my comment on that commit.
|
|
||
| if notarization_done(state, sleep_time, options): | ||
| break | ||
|
|
There was a problem hiding this comment.
Looks like it will exit "normally" after the staple_timeout -- in other words, when wait_for_notarization returns notarization might have been successful, or we might have just timed out. So in lines 880 and 881 we might proceed to staple even if the notarization is not complete.
I think it would be better to recognize the timeout and 1) Not try to staple, and 2) Print out information that would allow the admin to manually staple later if/when they get notification of a successful notarization.
There was a problem hiding this comment.
I agree. Definitely bug I created.
See the fixup 5af2ae3.
btw I do nothing with exit codes. munkipkg exits with 0 when notaratization fails or times out. I was thinking primary job of munkipkg is to build packages. If package is built correctly process should exit with code 0 even when notarization failed. Do you agree?
There was a problem hiding this comment.
Not sure I do. Primary job might be to build pkgs, but if you give it extra jobs it should tell if if/when it fails.
There was a problem hiding this comment.
See 1b13928.
In case of problem or failed notarization we return with -1 from build() and it gets passed to sys.exit().
When we give up on waiting for notarization we still exit with 0.
|
Error handling might still need some improvement, at least when the account is not enabled for notarization the following exception is raised: In this case
|
|
@sts I suspect you run Described problem is not caused by (lack of) error handling. Problem is only with Python 3 compatibility I did not test. I've added new commit 72d30e2 to deal with this. Please test and report issues if you find any |
- Check result of the notary process with `altool --notarization-info` - Increase STAPLE_TIMEOUT to 300 seconds - Start using incremental time delay between notary process check - Update README.md to reflect the changes - Change wording of some docstrings
|
Rebased against latest code. Updated version changing commit. |
|
You've done a lot of work on this and you've kept it rebased so it can be merged and it's clear that at least some people want this functionality. I'm going to merge it. My one hesitation is that because I personally won't be using the functionality and I didn't write the functionality, if there are issues reported against the notarization functionality, I cannot promise to fix those issues in a timely manner, and I hope you will be able to "stick around" and maintain it. |
|
Sure. I use notarization quite often so I guess I will keep using this as long as I do Mac Admin stuff :-) |
|
Nice to see this merged into main. |
|
…and now altool is deprecated in macOS Monterey… |
|
I must admit I chuckled when I saw that earlier. I immediately thought about this PR. |
|
Ah nuts, I was excited to use this. I hope there's an alternative way to do this on Monterey. |
|
I wake up in the morning and go check the Twitter. I Learn @gregneagle Don't worry. I'll look into it I haven't downloaded the beta yet. Can anyone confirm I'll take a look at |
|
I've created a new issue #53 where I shall discuss the |
This PR adds the ability to notarize signed installer packages. Implementation is inspired by Apple document Customizing the Notarization Workflow.
Code style is currently the same as in #39 after applying formatters. If you don't like the #39 changes I can format the code in this PR to match the original code style.
Possible improvements:
xcrun altoolandxcrun stapler. Current approach just runs the stapler on the package again and again (for limited amount of tries) until it succedes.