Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: macOS notarizing #1365

Merged
merged 5 commits into from
Mar 10, 2020
Merged

chore: macOS notarizing #1365

merged 5 commits into from
Mar 10, 2020

Conversation

lidel
Copy link
Member

@lidel lidel commented Feb 27, 2020

Motivation

This PR aims to fix macOS Catalina issues described in #1211

Details

This adds scripts that run electron-notarize as additional manual or build steps on darwin runtime, loosely following https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

pkgs/macos/notarize-build.js (not used for now)

This runs as part of darwin build as it was suggested on https://www.electron.build/code-signing.

Skipped if process.env.APPLEID or process.env.APPLEIDPASS are not set at the build time. As there was no safe way to do it on TravisCI, we don't use it at CI atm.

pkgs/macos/notarize-cli.js (should do for now)

A standalone CLI tool that performs notarization of existing macOS artifact.
It enables us to notarize macOS artifact as a semi-automatic step during release dance:

  1. Download .dmg from https://github.com/ipfs-shipyard/ipfs-desktop/releases/vA.B.C
  2. Run node pkgs/macos/notarize-cli.js ./path/to/IPFS-Desktop-A.B.C.dmg

pkgs/macos/notarize.js Outdated Show resolved Hide resolved
@olizilla
Copy link
Member

Relevant context for the macOS binary signing that we set up previously #66 (comment)

@lidel lidel changed the title wip: macOS notarizing chore: macOS notarizing Mar 9, 2020
@lidel lidel requested a review from autonome March 9, 2020 19:01
@lidel lidel marked this pull request as ready for review March 9, 2020 19:02
@lidel
Copy link
Member Author

lidel commented Mar 9, 2020

@autonome
I've discussed this with @olizilla and threat model is tricky.
Doing CI-based notarization will require us to move away from TravisCI.

We have no bandwidth nor full time maintainer atm. Let's go with semi-automatic notarization during release dance.

Created a script for post-build online notarization (without stapling) – should be enough for now:

$ node pkgs/macos/notarize-cli.js ./path/to/IPFS-Desktop-A.B.C.dmg

(People download .dmg, so are online anyway)

README.md Outdated
@@ -119,6 +119,9 @@ Other languages are periodically pulled from [Transifex](https://www.transifex.c
- Publish local changes and the tag to GitHub repo: `git push && git push origin vA.B.C`
- Wait for the CI to upload the binaries to the draft release (a new one will be created if you haven't drafted one).
- The `latest.yml, latest-mac.yml, latest-linux.yml` files on the release are used by the app to determine when an app update is available. Once a release is published, users should recieve the app update. See: https://www.electron.build/auto-update.
- Notarize `.dmg` at Apple (context: [#1365](https://github.com/ipfs-shipyard/ipfs-desktop/issues/1211))
1. Download `.dmg` from `https://github.com/ipfs-shipyard/ipfs-desktop/releases/vA.B.C`
2. Run `node pkgs/macos/notarize-cli.js ./IPFS-Desktop-A.B.C.dmg`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you do w/ the notarized dmg? Commit back to repo?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should adding and editing the .env file be here too?

Copy link
Member Author

@lidel lidel Mar 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what to do with notarized .dmg?

IIUC we would do nothing with notarized .dmg, just discard it for now. Goal is to inform Apple that this is a legit binary blob, so it can give thumbs up when someone's macOS asks about it in the future.

Why? We can't replace .dmg attached to GitHub Release with notarized version because checksum in latest-mac.yml would no longer match and that would break autoupdates.

But online notarization should still work: when macOS sees a new version of ipfs-desktop it will check for stapled notarization, won't find it, so it will fallback to asking Apple servers if running it is ok. Autoupdate requires internet connection anyway, so this non-stapled notarization should also work.

env

notarize-cli will inform user if env variables are missing, but I've added note about them in 99d0dfb

README.md Outdated Show resolved Hide resolved
This adds scripts that run electron-notarize
as additional manual or build steps on darvin runtime, loosly following
https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

Context:
#1211

License: MIT
Signed-off-by: Marcin Rataj <lidel@lidel.org>
electron-userland/electron-builder#3940 (comment)

License: MIT
Signed-off-by: Marcin Rataj <lidel@lidel.org>
License: MIT
Signed-off-by: Marcin Rataj <lidel@lidel.org>
electron-notarize-dmg is electron-notarize but supports DMG without
stapling (which is what we want for now)

License: MIT
Signed-off-by: Marcin Rataj <lidel@lidel.org>
@lidel lidel merged commit 81e74d5 into master Mar 10, 2020
@lidel lidel deleted the fix/macos-notarizing branch March 10, 2020 23:54
@olizilla
Copy link
Member

worth noting that we are depending on electron-notarize-dmg which is a user provided fork of electron-notify... it's pinned at 1.0.0, which is good as we don't trust any old updates of this fork... the github diff for the fork seem legit, but thats no guarantee of whats inside the published module electron/notarize@master...hugozap:master

@lidel
Copy link
Member Author

lidel commented Mar 12, 2020

@olizilla yes, I pinned it for that very reason. For what its worth I checked code from NPM in node_modules and the diff is matching github one.

(Manual cli notarization is a temporary solution until we get a full time maintainer who will have bandwidth for doing in on the CI safely)

@olizilla
Copy link
Member

olizilla commented Mar 12, 2020

The underside of this iceberg required us to also

  • upgrade locally installed xcode to the latest version (11.3)
  • generate a new new app-specific password in the apple developer portal
  • renew our apple developer license, for $99 per year.
  • sign agreements for unpaid and, suprisingly, paid apps even though we only want to notarize a free app that we do not distribute through the app store.

with all that in place, running

node pkgs/macos/notarize-cli.js ~/Downloads/IPFS-Desktop-0.10.4.dmg

returned without error. The overlord blessed us with an email.

Screenshot 2020-03-12 at 10 51 14

@olizilla
Copy link
Member

Can confirm... on macos 10.15.3, trying to run ipfs-desktop 0.10.3 results in

Screenshot 2020-03-12 at 14 18 07

while trying trying to run 0.10.4 now gives us a

Screenshot 2020-03-12 at 14 18 30

\o/

@olizilla
Copy link
Member

For what its worth I checked code from NPM in node_modules and the diff is matching github one.

very cool @lidel. did i mention that you are the best?

@lidel
Copy link
Member Author

lidel commented Mar 12, 2020

@olizilla no, you are! thank you for pushing this through the finish line ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants