search

indygreg / PyOxidizer

A modern Python application packaging and distribution tool
Mozilla Public License 2.0
5.47k stars 239 forks source link

apple-codesign: add support for component notarization #576

Closed magarcia closed 2 years ago

magarcia commented 2 years ago

I'm not completely sure this is covering all the use cases, but it works for us where we have an Installer.pkg that contains:

Installer.pkg
├── Bom
├── PackageInfo
├── Payload
└── Scripts
    ├── postinstall
    └── preinstall
indygreg commented 2 years ago

I'm wondering if the reason I didn't implement this is because I couldn't figure out a way to verify it worked!

So far every component .pkg I've thrown at it has failed notarization with:

upload log>   "issues": [
upload log>     {
upload log>       "severity": "error",
upload log>       "code": null,
upload log>       "path": "installer.pkg",
upload log>       "message": "The binary is not signed.",
upload log>       "docUrl": null,
upload log>       "architecture": null
upload log>     }
upload log>   ]

It sounds like Apple is looking for a signed entity within the component package. The .pkg I'm uploading do have signed entities. So I'm curious what's wrong here.

Do you have an example component package I could test with or instructions on producing one that you are able to get notarized with this patch? I could probably figure this out, but I want to be sure we're seeing eye-to-eye and that we both agree that component notarization can work at all.

indygreg commented 2 years ago

With the adoption of the new Notary API in #593, the old notarization code that was reading the flat packages has gone away, as we now treat the uploaded assets as mostly a black box. So this change should no longer be needed.

If there are remaining issues with component notarization, please file a new issue or PR.