Closed MichalMMac closed 7 months ago
gregneagle
commented
3 years ago Sadly you'll likely have to support both altool and notarytool -- at least for a while. Can't assume everyone has Xcode 13, and shouldn't wait for altool to actually disappear. :-(
MichalMMac
commented
3 years ago Of course. I was about to dive into it but you are too fast 😁
@gregneagle I went over the man pages. Most of the options overlap but there are differences. I laid out possible ways forward. Supporting both altool and notarytool within the munki-pkg is definitely possible but it is going to add more complexity. Just chaing the code to use only notarytool at the some point in the future might be less user friendly (They might need to update keys in build-info in existing projects.) but more munki-pkg project friendly. I don't have strong preference on this. Complex sounds more fun 😅
First of all I should probably update the documentation (especially the links to Apple notarization docs).
YesThatAllen
commented
10 months ago I missed the memo, until I saw a reminder in macadmins slack, that come Nov 1 2023, users won't have a choice to use the old way.
https://developer.apple.com/news/?id=y5mjxqmn
As announced last year at WWDC, if you notarize your Mac software with the Apple notary service using the
altoolcommand-line utility or Xcode 13 or earlier, you’ll need to transition to thenotarytoolcommand-line utility or upgrade to Xcode 14 or later. Starting November 1, 2023, the Apple notary service will no longer accept uploads fromaltoolor Xcode 13 or earlier.
So, a solution which replaces altool, vs giving an option, could be locked behind a readme/release.
YesThatAllen
commented
7 months ago The code in the notarytool https://github.com/munki/munki-pkg/compare/notarytool is working well for me.
A trailing space was removed when printing error messages here "apple_id + team_id + password or keychain_profile" but there's no PR to comment on (and its pretty trivial vs "does the code notarizing or not")
I wonder.. would the author, @strlng or maybe the most recent committer @g-bougard care to open a PR to main for review?
and @gregneagle tagging the current main as altool or 1.0, etc could allow people who aren't ready for the change to target that, vs having to open issues asking for compatibility.
g-bougard
commented
7 months ago I guess this is my fault for the missing space, sorry for that ;-)
@gregneagle I can make the PR if you want unless you want to merge it yourself (and don't forget to fix the missing space issue if you do).
Anyway I agree with @YesThatAllen , that branch should now be in main as altool is no more supported by Apple notarization.
P.S.: Oups sorry, I missed @string still made the PR ;-)
gregneagle
commented
7 months ago Addressed by today's merge commit.
There is a new command line tool for custom notarization workflow called
notarytool.notarytoolis a part of Xcode and Xcode Command Line Tools since version 13. Previous notarization utilityaltoolis now deprecated but is is still present in Xcode 13 and probably will be present in future versions (at least for a time).Differences between tools
Let's compare
altooltonotarytool.Uploading the package
xcrun altool --notarize-app -f file_path --primary-bundle-id bundle_idnotarytool submit file-path [--wait --no-s3-acceleration]There is no need to specify
bundle_idwhen usingnotarytool.notarytoolhas a new--waitswitch which makes the tool wait until notarization process finishes server side. More on this later.notarytooluses Amazon S3 for package upload by default. This can be turned off with--no-s3-accelerationswitch.Authentication
Apple ID
altool:-u username [-p password] [--asc-provider name | --team-id id | --asc-public-id id]notarytool:--apple-id apple-id [--password app-specific-password] --team-id team-id -p profile-name [--keychain keychain-path]Main difference here is the way to identify the provider when AppleID belongs to multiple providers.
altoolin Xcode 12.5 and 13 has three ways to do it--asc-provider(we currently use this),--asc-public-idand--team-id.notarytoolhas only the--team-idoption.notarytoolcan use a "profile" to authenticate using the credentials stored in keychain via thestore-credentialscommand. Credentials in keychain can be in a form of apple-id + password or api-key + api-key-id + api-issuer-uuid.API access
altool:--apiKey api_key --apiIssuer issuer_idnotarytool:--key key-path --key-id key-id --issuer issuerOnly diffrence here is
altoolsearches for private key is several known directories but fornotarytoolpath must be provides explicitly with--keyoption (or be stored in keychain and obtained with--profileoption).Wait for notarization
To find out the notarization result current munki-pkg implementation uses
altoolto poll the notarization service usingaltool --notarization-infocommand.notarytoolhas a newwaitfunctionality.--waitoption together withnotarytool submitsubcommand.notarytoolwaits indefinitely until the server side notarization process finishes.notarytool waitwhich does the same after the package has been submitted.Additionally
--timeoutoption can be added to prevent thenotarytoolto wait for longer than desired periods of time.Replacement strategies
There are multiple strategies how to replace
altoolwithnotarytoolin munki-pkg:altoolin munki-pkg main branch for now. I will replace thealtoolfornotarytoolin my forked munki-pkg repo, open a PR which would be merged into munki-pkg when time is right (one or two years from now perhaps). I am in favor of this approach.altoolandnotarytool. Tool selection could be manual via option or automatic depending on Xcode version installed. This is going to introduce additional complexity.altoolwithnotarytoolASAP (after final version of Xcode 13 is released this fall). This would add the requirement to run Xcode 13 or newer to use notarization functionality within munki-pkg.