search

mbari-org / vars-annotation

Video Annotation Application for MBARI's Media Management (M3) software stack
https://docs.mbari.org/vars-annotation/
Apache License 2.0
16 stars 6 forks source link

Sign and notarize macOS builds. #144

Closed hohonuuli closed 1 year ago

hohonuuli commented 1 year ago

With Ventura, Apple has made it extremely difficult to run unsigned apps. Time to get VARS signed.

hohonuuli commented 1 year ago

Signing recipe


# You need a Developer ID Application cert from developer.apple.com. A fake id used below
export MAC_CODE_SIGNER="Developer ID Application: blah blah blah (ABC123456)"

cd vars-annotation

# The build will correctly sign everything if your MAC_CODE_SIGNER is correct
./gradlew clean jpackage --info

cd  org.mbari.vars.ui/build/jpackage

# App must be packaged/zipped to be notarized
ditto -c -k --keepParent "VARS Annotation.app" "VARS Annotation.zip"

xcrun notarytool submit "VARS Annotation.zip" \
    --wait \
    --team-id ABC123456 \                      # Found in your Developer ID cert name
    --apple-id <your apple login> \            # Your email you log in to developer.apple.com with
    --password "<your app specific password>"  # You have to use an app password for your account from appleid.apple.com

# We staple to the original app, NOT the zip
xcrun stapler staple "VARS Annotation.app"

# Remove the old zip file
rm "VARS Annotation.zip"

# Rezip the app and use that zip to distribute it.
ditto -c -k --keepParent "VARS Annotation.app" "VARS Annotation.zip"

Handling notarization failures

If the notarization fails you can review the logs. Here's an example:

> xcrun notarytool submit "VARS Annotation.zip" --wait --team-id ABC123456 --apple-id <your apple login> --password "<your app specific password>"

Conducting pre-submission checks for VARS Annotation.zip and initiating connection to the Apple notary service...
Submission ID received
  id: 0523c04e-355d-4a59-8a3f-ff595b7b87c9
Upload progress: 100.00% (88.4 MB of 88.4 MB)
Successfully uploaded file
  id: 0523c04e-355d-4a59-8a3f-ff595b7b87c9
  path: /Users/brian/workspace/M3/vars-annotation/org.mbari.vars.ui/build/jpackage/VARS Annotation.zip
Waiting for processing to complete.
Current status: Invalid..................
Processing complete
  id: 0523c04e-355d-4a59-8a3f-ff595b7b87c9
  status: Invalid

xcrun notarytool log 0523c04e-355d-4a59-8a3f-ff595b7b87c9 --team-id ABC123456 --apple-id <your apple login> --password "<your app specific password>"
{
  "logFormatVersion": 1,
  "jobId": "0523c04e-355d-4a59-8a3f-ff595b7b87c9",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "VARS Annotation.zip",
  "uploadDate": "2023-01-19T19:56:01.550Z",
  "sha256": "9df9955482b474b63fc8b588fdcf65ed746f56e06e019eb50ed4684faca33632",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "VARS Annotation.zip/VARS Annotation.app/Contents/runtime/Contents/Home/lib/server/libjvm.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "VARS Annotation.zip/VARS Annotation.app/Contents/runtime/Contents/Home/lib/server/libjvm.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "VARS Annotation.zip/VARS Annotation.app/Contents/runtime/Contents/Home/lib/server/libjsig.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "VARS Annotation.zip/VARS Annotation.app/Contents/runtime/Contents/Home/lib/server/libjsig.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "VARS Annotation.zip/VARS Annotation.app/Contents/runtime/Contents/MacOS/libjli.dylib",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "VARS Annotation.zip/VARS Annotation.app/Contents/runtime/Contents/MacOS/libjli.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "arm64"
    }
  ]
}
hohonuuli commented 1 year ago

Apparency was very useful for inspecting the signing apps.