search

indygreg / PyOxidizer

A modern Python application packaging and distribution tool
Mozilla Public License 2.0
5.4k stars 234 forks source link

apple-codesign: zip notarization support #635

Closed deansheather closed 1 year ago

deansheather commented 2 years ago

Adds the ability to notarize .zip files containing other notarizable assets (such as a Mach-O binary).

Stapling (via the staple subcommand or notary-submit --staple option) is not supported for .zip files and will return an error.

Zip files are supported by the popular gon tool which we were previously using. We would like to switch to rcodesign to sign our darwin release binaries but we can't as we don't release our CLI as a bundle, xar or dmg file.

$ rcodesign sign --p12-file ./AppleDevCert_Production.p12 --p12-password-file ./cert-pw.txt --code-signature-flags runtime ./build/coder_darwin_arm64
...

$ zip x.zip build/coder_darwn_arm64
  adding: build/coder_darwin_arm64 (deflated 23%)

$ rcodesign notary-submit --api-key-path ./key.json --wait x.zip 
creating Notary API submission for x.zip (sha256: 309d5c53a47a45a07c1869171df7b1b136d1077f5f0e268373d2fefd18074b0d)
created submission ID: 51310405-3244-46cc-a2f3-efd83401bcbf
resolving AWS S3 configuration from Apple-provided credentials
uploading asset to s3://notary-submissions-prod/prod/AROARQRX7CZS3PRF6ZA5L:51310405-3244-46cc-a2f3-efd83401bcbf
(you may see additional log output from S3 client)
send_operation;
send_operation; operation="PutObject"
send_operation; service="s3"
send_operation; status="ok"
S3 upload completed successfully
waiting up to 600s for package upload 51310405-3244-46cc-a2f3-efd83401bcbf to finish processing
poll state after 0s: InProgress
poll state after 4s: InProgress
poll state after 7s: InProgress
poll state after 11s: InProgress
poll state after 15s: InProgress
poll state after 19s: InProgress
poll state after 22s: Accepted
Notary API Server has finished processing the uploaded asset
fetching notarization log for 51310405-3244-46cc-a2f3-efd83401bcbf
notary log> {
notary log>   "archiveFilename": "x.zip",
notary log>   "issues": null,
notary log>   "jobId": "51310405-3244-46cc-a2f3-efd83401bcbf",
notary log>   "logFormatVersion": 1,
notary log>   "sha256": "309d5c53a47a45a07c1869171df7b1b136d1077f5f0e268373d2fefd18074b0d",
notary log>   "status": "Accepted",
notary log>   "statusCode": 0,
notary log>   "statusSummary": "Ready for distribution",
notary log>   "ticketContents": [
notary log>     {
notary log>       "arch": "arm64",
notary log>       "cdhash": "181a64cf314e5f0fefd468aee3a0047992244d60",
notary log>       "digestAlgorithm": "SHA-256",
notary log>       "path": "x.zip/build/coder_darwin_arm64"
notary log>     }
notary log>   ],
notary log>   "uploadDate": "2022-09-06T07:48:23.895Z"
notary log> }
deansheather commented 1 year ago

@indygreg is there anything I can do to help this get merged? There seemed to be workflow failures but I don't believe those were caused by my changes.

indygreg commented 1 year ago

I've been busy and haven't had time to look into this PR. But I like what you are doing here and want to get this merged!

I've moved apple-codesign to https://github.com/indygreg/apple-platform-rs. Please rebase this PR and submit it against the new project if you'd still like it to be considered. (The new repository has the full history of https://github.com/indygreg/PyOxidizer so a rebase should work assuming there aren't other code changes since this PR was submitted.)