Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix macOS notarization (signing), migrate to notarytool #12735

Merged
merged 5 commits into from Mar 29, 2024
Merged

Fix macOS notarization (signing), migrate to notarytool #12735

merged 5 commits into from Mar 29, 2024

Conversation

adamPetho
Copy link
Collaborator

Fixes: #12722

Looks like altool is obsolete and that caused the issue.

Very useful Apple documentation I used on how to migrate from altool to notarytool
https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool

According to the apple documentation:

Apple has deprecated altool for the purposes of notarization and announced that it will stop working for notarization on 2023-11-01.

New process:
notarytool submit --wait --apple-id \"{appleId}\" -p \"WasabiNotarize\" \"{filePath}\"

  • submit: upload the file for notarization
  • wait: wait for the notazition to finish. With this we don't need to check the status of the notarization periodically.
  • p(rofile): Password(credentials) are saved in the local keychain profile, profile name is "WasabiNotarize"
  • The rest is self-explanatory.

With these changes I was able to do successful notarizations 5 times in a row.

Please review it commit by commit, it's easier.

adamPetho
adamPetho commented Mar 27, 2024
View reviewed changes
WalletWasabi.Packager/MacSignTools.cs
Comment on lines -346 to -370
if (result.Contains("The software asset has already been uploaded. The upload ID is"))
{
// Example: The software asset has already been uploaded. The upload ID is 7689dc08-d6c8-4783-8d28-33e575f5c967
uploadId = result.Split('"').First(line => line.Contains("The software asset has already been uploaded.")).Split("The upload ID is")[^1].Trim();
}
else if (result.Contains("No errors uploading"))
{
// Example: <key>RequestUUID</key>\n\t\t<string>2a2a164f-2ae7-4293-8357-5d5a5cdd580a</string>

var lines = result.Split('\n');

for (int i = 0; i < lines.Length; i++)
{
string line = lines[i].Trim();
if (!line.TrimStart().StartsWith("<key>", StringComparison.InvariantCultureIgnoreCase))
{
continue;
}

if (line.Contains("<key>RequestUUID</key>", StringComparison.InvariantCulture))
{
uploadId = lines[i + 1].Trim().Replace("<string>", "").Replace("</string>", "");
}
}
}
Copy link
Collaborator Author

@adamPetho adamPetho Mar 27, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need the uploadId anymore, so these hacks are obsolete.

WalletWasabi.Packager/MacSignTools.cs
Comment on lines -378 to -405
Stopwatch sw = new();
sw.Start();
while (true) // Wait for the notarization.
{
Console.WriteLine($"Checking notarization status. Elapsed time: {sw.Elapsed}");
using var process = Process.Start(new ProcessStartInfo
{
FileName = "xcrun",
Arguments = $"altool --notarization-info \"{uploadId}\" -u \"{appleId}\" -p \"{password}\"",
RedirectStandardError = true,
RedirectStandardOutput = true,
});
var nonNullProcess = WaitProcessToFinish(process, "xcrum");
string result = $"{nonNullProcess.StandardError.ReadToEnd()} {nonNullProcess.StandardOutput.ReadToEnd()}";
if (result.Contains("Status Message: Package Approved"))
{
break;
}
if (result.Contains("Status: in progress"))
{
Thread.Sleep(4000);
continue;
}
if (result.Contains("Could not find the RequestUUID"))
{
Thread.Sleep(4000);
continue;
}
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to periodically send a request to Apple about the notarization's status.

Thanks to the --wait option.

WalletWasabi.Packager/MacSignTools.cs
@@ -327,85 +328,22 @@ private static Process WaitProcessToFinish(Process? process, string processName)
return process;
}

private static void Notarize(string appleId, string password, string filePath, string bundleIdentifier)
private static void Notarize(string appleId, string filePath)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the unused params

@adamPetho adamPetho requested a review from molnard March 27, 2024 12:42
Szpoti
Szpoti approved these changes Mar 27, 2024
View reviewed changes
Copy link
Collaborator

@Szpoti Szpoti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cACK

molnard
molnard approved these changes Mar 28, 2024
View reviewed changes
Copy link
Collaborator

@molnard molnard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot test this but LGTM. ACK merging.

@adamPetho adamPetho merged commit 94b738c into zkSNACKs:master Mar 29, 2024
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@molnard molnard molnard approved these changes

@Szpoti Szpoti Szpoti approved these changes

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Packager: MacOS signing fails
3 participants
@adamPetho @molnard @Szpoti