Apple notarization must be passed and app bundle must be signed

[angryziber]

Apple will restrict running non-AppStore software on Macs from February 2019 unless it has passed 'notarization'.

Ideally, travis-ci should be used for automatic sending of binaries to Apple on new releases, as it can only be done from OS X.

Apple has provided this info:

"You can notarize and sign from the terminal on a Mac (using codesign and xcrun altool) or by ssh’ing into a Mac."

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?preferredLanguage=occ

[kstarsinic]

I'd be interested in handling the Mac-specific issues. I'm looking at getting a clean build that passes all unit tests on Mac right now, and I'll submit a pull request when that's ready.

[angryziber]

That's great!

Which problems are having with tests? GitHub actions CI is verifying Mac builds as well as other platforms...

On Thu, 20 Feb 2020, 20:21 Kurt Starsinic, notifications@github.com wrote:

I'd be interested in handling the Mac-specific issues. I'm looking at getting a clean build that passes all unit tests on Mac right now, and I'll submit a pull request when that's ready.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/angryip/ipscan/issues/218?email_source=notifications&email_token=AAGXKYGHS4ZTIKZJZB6DLE3RD23XZA5CNFSM4J7JTYP2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMPJ75Y#issuecomment-589209591, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGXKYF5IXZ7VZ762RYPGVDRD23XZANCNFSM4J7JTYPQ .

[angryziber]

Here is an example how to do it using github actions: https://github.com/mifi/lossless-cut/blob/master/.github/workflows/build.yml

[thepony]

If you are still looking for someone to assist with the Mac side, or a second Mac user to assist let me know. I run both MacBooks and a MacPro at the house and have Mac users on my network and do IT full time as a Net/SysAdmin.

[angryziber]

@thepony yes, sure. Can you tell what is the current situation without notarization on Catalina? Does it refuse to run Angry IP Scanner?

[thepony]

Actually running the program is easy simple, even without notarization, as is with many apps. As I am sure you know that OS X is based on FreeBSD (albeit the Cadillac version), A user that has admin/sudo rights on the system can bypass. After unzipping on Catilina (and versions before), Hold control while right-clicking or using two-finger click and select Open. You will get a different message from just right cloick and open, where you are prompted that the item is not registered with Apple, and asks if you are still willing to open the application. Select Open and it will remember your choice when you run it again. I did just test this on a MacBook Pro and had no issues.

[amcgregor]

Right-click, Open (without modifiers needed beyond ⌃+Click itself to open the right-click menu if no second mouse button is present) is an explicit, intentional action indicating to the OS that execution of the unsigned/un-notarized binary is desired. Upon clicking the "Open" action in the confirmation prompt, the OS will self-notarize the binary for subsequent use. Double-clicking an .app bundle, ⌘+down opening, or invocation via open in the terminal, these are easy ways for anyone to launch an app, not just the user. Finder right-click menu is… "more trustworthy".

This is a similar issue I've had with certain QuickLook plugins. Brew install them, the OS starts complaining about the module being downloaded from the internet and untrusted. Even though it's not directly an executable application, dig the .qlgenerator out of ~/Library/QuickLook, right-click, Open, confirm. Nothing will open, but now it's signed, and the Spotlight indexing service attempting to use it will stop complaining.

Edit: of course, actual signing will help avoid the "scary confirmation dialog". ("All software" is no longer an option under Security preferences, only App Store and Signed by Developer.)

[angryziber]

@thepony @amcgregor thanks for info, so it's not that critical so far if the app can still be run.

I tried passing notarization from the CI build, but it failed for now. It seems the app should be signed first, but I am not sure yet if I can do that without paying Apple $100

[BSVogler]

Hey, maybe I can help. I am a registered apple developer.

BTW the URL in the link to this issue is broken.

[616E64726173]

you will have to pay the ghost of steve jobs $100 or he will not let you cross his bridge.

[kstarsinic]

That's great! Which problems are having with tests? GitHub actions CI is verifying Mac builds as well as other platforms...

All GUI-based tests were failing. This was worked around via 0db30a9e (thanks, @angryziber!); it seems that there will be no actual fix on the Mac without a Gradle change that seems to be a low priority.

[John-Mc]

Actually running the program is easy simple, even without notarization, as is with many apps. As I am sure you know that OS X is based on FreeBSD (albeit the Cadillac version), A user that has admin/sudo rights on the system can bypass. After unzipping on Catilina (and versions before), Hold control while right-clicking or using two-finger click and select Open. You will get a different message from just right click and open, where you are prompted that the item is not registered with Apple, and asks if you are still willing to open the application. Select Open and it will remember your choice when you run it again. I did just test this on a MacBook Pro and had no issues.

Thanks. That was helpful. Perhaps add this "ctrl+right click" / "ctrl+two-finger-click" to the FAQs page until the issue is resolved?

[ideologysec]

There is now a fully-implemented codesign process for Linux using the apple-codesign crate; this might be something that could be done in TravisCI

https://lib.rs/crates/apple-codesign