search

indygreg / apple-platform-rs

Rust crates supporting Apple platform development
598 stars 49 forks source link

Notarization fails with s3 upload error: unhandled error #144

Open ErkkaLehmus opened 6 months ago

ErkkaLehmus commented 6 months ago

I am not sure if this is same or related to #84

Using apple-codesign 0.27.0 on linux command-line rcodesign notary-submit --api-key-file ~/keys/mykey.json --staple MyGame.app.zip

fails with

created submission ID:  --- manually cut out, ask if you need this ---
resolving AWS S3 configuration from Apple-provided credentials
uploading asset to s3://notary-submissions-prod/prod/ --- manually cut out, ask if you need this ---
(you may see additional log output from S3 client)
Error: s3 upload error: unhandled error

I run it a few times, same result every time. And then with -vvv logging the output to a text file. It seems to succesfully send ClientHello to apple, receiving ServerHello, after which there is

[2024-05-09T10:27:37Z DEBUG rustls::client::tls13] Not resuming
[2024-05-09T10:27:37Z TRACE rustls::client::client_conn] EarlyData rejected
[2024-05-09T10:27:37Z TRACE rustls::conn] Dropping CCS
[2024-05-09T10:27:37Z DEBUG rustls::client::tls13] TLS1.3 encrypted extensions: [ServerNameAck, Unknown(UnknownExtension { typ: EllipticCurves, payload: 00040017001d }), Protocols([ProtocolName(6832)])]
[2024-05-09T10:27:37Z DEBUG rustls::client::hs] ALPN protocol is Some(b"h2")
[2024-05-09T10:27:37Z TRACE rustls::client::tls13] Server cert is [--- manually cut out, ask if you need this ---]
[2024-05-09T10:27:37Z TRACE rustls::verify] Unvalidated OCSP response: [--- manually cut out, ask if you need this ---]
[2024-05-09T10:27:38Z TRACE reqwest::blocking::wait] wait at most 30s
[2024-05-09T10:27:38Z WARN  apple_codesign::notarization] created submission ID: --- manually cut out, ask if you need this ---
[2024-05-09T10:27:38Z TRACE reqwest::blocking::client] closing runtime thread (ThreadId(2))
[2024-05-09T10:27:38Z TRACE reqwest::blocking::client] signaled close for runtime thread (ThreadId(2))
[2024-05-09T10:27:38Z TRACE reqwest::blocking::client] (ThreadId(2)) Receiver is shutdown
[2024-05-09T10:27:38Z TRACE reqwest::blocking::client] (ThreadId(2)) end runtime::block_on
[2024-05-09T10:27:38Z TRACE reqwest::blocking::client] (ThreadId(2)) finished
[2024-05-09T10:27:38Z TRACE reqwest::blocking::client] closed runtime thread (ThreadId(2))
[2024-05-09T10:27:38Z WARN  apple_codesign::notarization] resolving AWS S3 configuration from Apple-provided credentials
[2024-05-09T10:27:38Z DEBUG hyper_rustls::config] with_native_roots processed 140 valid and 0 invalid certs
[2024-05-09T10:27:38Z WARN  apple_codesign::notarization] uploading asset to s3://notary-submissions-prod/prod/--- manually cut out, ask if you need this ---
[2024-05-09T10:27:38Z WARN  apple_codesign::notarization] (you may see additional log output from S3 client)
[2024-05-09T10:27:38Z DEBUG rustls::client::hs] No cached session for DnsName("notary-submissions-prod.s3.us-west-2.amazonaws.com")
[2024-05-09T10:27:38Z DEBUG rustls::client::hs] Not resuming any session
[2024-05-09T10:27:38Z TRACE rustls::client::hs] Sending ClientHello Message {

After which there are two times clientHello and ServerHello with amazonaws.com, this time with [2024-05-09T10:27:38Z DEBUG rustls::client::hs] ALPN protocol is Some(b"http/1.1")

until finally terminating with Error: s3 upload error: unhandled error

I'm connected to the internet by a mobile broad-band, and what little I do understand, on the ISP side there is a proxy behind me and the rest of the world. And not sure if there is anything I can do about it.

I kind of a wanted to test the process with the official Apple tools to verify if there is a problem with my ISP, but unfortunately Apple is not happy with me running on 10.13.6 High Sierra, which is the highest my old macBook can do.

detorto commented 4 months ago

Same problem. Looks like it depends on package it sends. One of my pkgs notarizes ok every time, other one fails every time with the same "Error: s3 upload error: unhandled error".

Logs are same with yours.

UPD: Cloned and build a main branch, it shows 0.27.0 version, but managed to upload a binary.

indygreg commented 3 weeks ago

Thanks for the reports.

The unhandled error in Error: s3 upload error: unhandled error is coming from the aws-sdk-s3 crate. It corresponds to an Error::Unhandled enum variant when the S3 API response doesn't expose an error code in the API response metadata. But, that may be due to how we're normalizing the error type in our code:

.map_err(|e| AppleCodesignError::AwsS3Error(Box::new(aws_sdk_s3::Error::from(e))))

The aws_sdk_s3::Error::from() conversion code looks like this:

impl From<crate::operation::put_object::PutObjectError> for Error {
    fn from(err: crate::operation::put_object::PutObjectError) -> Self {
        match err {
            crate::operation::put_object::PutObjectError::Unhandled(inner) => Error::Unhandled(inner),
        }
    }
}

I think I'll tweak the error handling to hopefully preserve more details so we know what the actual error is. That will help with debugging and eventual fixing.