Add signing and notarisation to PKG installers

beeware / briefcase

Tools to support converting a Python project into a standalone native application.

https://briefcase.readthedocs.io/

BSD 3-Clause "New" or "Revised" License

2.47k stars 350 forks source link

Add signing and notarisation to PKG installers #1856

Closed freakboy3742 closed 3 weeks ago

freakboy3742 commented 3 weeks ago

Unsigned macOS Installers are a bit difficult to use, as the OS "unknown developer" handling prevents installation.

This PR adds signing and notarisation options to .pkg builds.

This signing requires a different signing identity - you need a "Development ID Installer" identity, rather than a "Development ID Application". To facilitate this, a --installer-identity option has been added (plus a --no-sign-installer option to avoid signing entirely).

Identity selection is a little complicated, because macOS doesn't appear to give a way to just list the installer certificates; so - this implementation lists all non-app certificates from the same Team ID as the application certificate.

PR Checklist:

[x] All new features have been tested
[x] All new features have been documented
[x] I have read the CONTRIBUTING.md file
[x] I will abide by the code of conduct

mhsmith commented 3 weeks ago

I'll have to wait for my Apple developer account to reactivate before I can test this – I paid today, but it apparently takes 24-48 hours to take effect.

mhsmith commented 3 weeks ago

Signing works fine, but notarization has now been "in progress" for over an hour. This probably isn't Briefcase's fault, but I'll leave it overnight and see what happens.

[consoletest] Notarizing PKG with team ID T72CJ4HQ74...

Conducting pre-submission checks for Console test-0.0.1.pkg and initiating connection to the Apple notary service...
Submission ID received
  id: 292fb6c1-2616-4b8c-b357-175f699a8ba0
Successfully uploaded file
  id: 292fb6c1-2616-4b8c-b357-175f699a8ba0
  path: /Users/msmith/git/beeware/apps/consoletest/dist/Console test-0.0.1.pkg
Waiting for processing to complete.

Current status: In Progress...
Current status: In Progress....
Current status: In Progress.....
Current status: In Progress......
Current status: In Progress.......
Current status: In Progress........
Current status: In Progress.........
Current status: In Progress..........
...

freakboy3742 commented 3 weeks ago

Yeah - notarisation is known to be a bit flaky. Not sure what we can do to make it less flaky though; we're entirely dependent on Apple's servers returning a response.

mhsmith commented 3 weeks ago

My first notarization attempt was still "in progress" after 10 hours. I interrupted it and tried again, and it succeeded after an additional 4 hours and 25 minutes.

I've only ever notarized something once before (this DMG). I don't remember how long it took, but it wasn't this long.

If this happens to other people then it might be worth printing a prominent warning. But it doesn't look as if many people are using the macOS packaging feature yet, so let's wait until we get some more feedback.