Release builds should be notarized for macOS Catalina

[shs96c]

Description of the problem / feature request:

In macOS Catalina, Apple introduced a requirement that applications that are downloaded and run on the machine are notarized. Without this, applications refuse to run unless a user follows a non-obvious sequence of steps involving the "Security" preference pane.

Bazel releases should be notarized in order to ensure that it works as expected on macOS.

What operating system are you running Bazel on?

macOS Catalina and above

Have you found anything relevant by searching the web?

Mozilla also ran into (and resolved!) this problem with both Firefox and geckodriver:

• https://firefox-source-docs.mozilla.org/testing/geckodriver/Notarization.html
• https://bugzilla.mozilla.org/show_bug.cgi?id=1588081

Steps for notarizing applications on the command line can be found here: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow

There may already be machinery within Google that can be harnessed for notarizing releases, which may simplify this issue considerably.

[davido]

Duplicate: #9304.

[aiuto]

The title here says it better than #9304 I gave this to both the Apple and EngProd teams since it may require collaboration to get the nuances.

[tetromino]

Yep, on 10.15.2 this affects the latest MacOS Bazel installer if it's downloaded using the browser (as opposed to curl or wget). We should fix this, and until we fix this, we should document a workaround.

[tetromino]

(Never mind - this affects both bazel-2.1.0-installer-darwin-x86_64.sh and bazel-2.1.0-darwin-x86_64)

[meteorcloudy]

I'm moving our release pipeline to Kokoro so that we can do the signing and notarization for macOS.

[fweikert]

@meteorcloudy what's the current state of the Kokoro builds?

[meteorcloudy]

They are set up, but we haven't switched to them because we still haven't figured out the notarization process..

[jin]

Is this still a P1 bug?

[meteorcloudy]

It doesn't look like so. Deprioritizing this to P2.

[github-actions[bot]]

Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 2+ years. It will be closed in the next 14 days unless any other activity occurs or one of the following labels is added: "not stale", "awaiting-bazeler". Please reach out to the triage team (@bazelbuild/triage) if you think this issue is still relevant or you are interested in getting the issue resolved.