-
Notifications
You must be signed in to change notification settings - Fork 864
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: macOS notarizing #1365
chore: macOS notarizing #1365
Conversation
6a459e2
to
69d4481
Compare
Relevant context for the macOS binary signing that we set up previously #66 (comment) |
55df677
to
1e055e5
Compare
@autonome We have no bandwidth nor full time maintainer atm. Let's go with semi-automatic notarization during release dance. Created a script for post-build online notarization (without stapling) – should be enough for now: $ node pkgs/macos/notarize-cli.js ./path/to/IPFS-Desktop-A.B.C.dmg (People download |
README.md
Outdated
@@ -119,6 +119,9 @@ Other languages are periodically pulled from [Transifex](https://www.transifex.c | |||
- Publish local changes and the tag to GitHub repo: `git push && git push origin vA.B.C` | |||
- Wait for the CI to upload the binaries to the draft release (a new one will be created if you haven't drafted one). | |||
- The `latest.yml, latest-mac.yml, latest-linux.yml` files on the release are used by the app to determine when an app update is available. Once a release is published, users should recieve the app update. See: https://www.electron.build/auto-update. | |||
- Notarize `.dmg` at Apple (context: [#1365](https://github.com/ipfs-shipyard/ipfs-desktop/issues/1211)) | |||
1. Download `.dmg` from `https://github.com/ipfs-shipyard/ipfs-desktop/releases/vA.B.C` | |||
2. Run `node pkgs/macos/notarize-cli.js ./IPFS-Desktop-A.B.C.dmg` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you do w/ the notarized dmg? Commit back to repo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should adding and editing the .env file be here too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what to do with notarized .dmg?
IIUC we would do nothing with notarized .dmg
, just discard it for now. Goal is to inform Apple that this is a legit binary blob, so it can give thumbs up when someone's macOS asks about it in the future.
Why? We can't replace .dmg
attached to GitHub Release with notarized version because checksum in latest-mac.yml
would no longer match and that would break autoupdates.
But online notarization should still work: when macOS sees a new version of ipfs-desktop it will check for stapled notarization, won't find it, so it will fallback to asking Apple servers if running it is ok. Autoupdate requires internet connection anyway, so this non-stapled notarization should also work.
env
notarize-cli
will inform user if env variables are missing, but I've added note about them in 99d0dfb
59b8905
to
69d7c9d
Compare
This adds scripts that run electron-notarize as additional manual or build steps on darvin runtime, loosly following https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/ Context: #1211 License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
electron-userland/electron-builder#3940 (comment) License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
electron-notarize-dmg is electron-notarize but supports DMG without stapling (which is what we want for now) License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
99d0dfb
to
0537b48
Compare
worth noting that we are depending on |
@olizilla yes, I pinned it for that very reason. For what its worth I checked code from NPM in (Manual cli notarization is a temporary solution until we get a full time maintainer who will have bandwidth for doing in on the CI safely) |
The underside of this iceberg required us to also
with all that in place, running
returned without error. The overlord blessed us with an email. |
very cool @lidel. did i mention that you are the best? |
@olizilla no, you are! thank you for pushing this through the finish line ❤️ |
Motivation
This PR aims to fix macOS Catalina issues described in #1211
Details
This adds scripts that run electron-notarize as additional manual or build steps on darwin runtime, loosely following https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/
pkgs/macos/notarize-build.js
(not used for now)This runs as part of
darwin
build as it was suggested on https://www.electron.build/code-signing.Skipped if
process.env.APPLEID
orprocess.env.APPLEIDPASS
are not set at the build time. As there was no safe way to do it on TravisCI, we don't use it at CI atm.pkgs/macos/notarize-cli.js
(should do for now)A standalone CLI tool that performs notarization of existing macOS artifact.
It enables us to notarize macOS artifact as a semi-automatic step during release dance:
node pkgs/macos/notarize-cli.js ./path/to/IPFS-Desktop-A.B.C.dmg