Open lionel- opened 1 week ago
Currently you manually approve
Turns out that you cannot staple a notarization ticket to a binary, which makes it pretty much impossible to improve our current approach of downloading a binary version of ark directly. Jupyter users will always get that message about ark not being verified. https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087720
I studied rig a bit, and I think we can do what rig does, but the Makefile for it is a little cryptic: https://github.com/r-lib/rig/blob/main/Makefile
IIUC, the general idea is:
codesign
ark, with hardened runtime and entitlementspkgbuild
ark into a component, where the component has an internal file structure of /usr/local/bin/ark
productbuild
to make a .pkg
containing that 1 ark component, and additional --resources
like our NOTICE and LICENSE filesxcrun notarytool
to notarize the .pkg
and staple the notarization ticket to the .pkg
(which is allowed).pkg
with its stapled ticketThe user side then looks like:
.pkg
and open it. Should not get any warnings because we signed and notarized it./usr/local/bin/ark
Then at the command line they can immediately run ark --install
without ark needing special treatment to be on the PATH, because of its placement in /usr/local/bin
. And because it came from the .pkg
it should be blessed as well, and not get quarantined by Gatekeeper.
We could also probably auto run ark --install
for them? So if they go through the installer then all they'd need to do is open Jupyter. But that may be too much.
Jupyter users will always get that message about ark not being verified.
As I read it we can notarize but not staple -- which means that the ticket is still there, Gatekeeper just needs to validate it online instead of checking a local copy. You wouldn't get the message unless you're offline. Does that sound right?
I tried exactly that - i.e. this actions release actually succeeded because i removed the staple step https://github.com/posit-dev/ark/actions/runs/9684264850
But when I downloaded ark I still got the error about it not being able to identify the owner 😢 it is possible I still have something wrong though
(I have since deleted that ark release with its artifact but we can retry anytime)
In particular if I double click on the ark
executable I get this
If I try and run it from the command line I get this
The Ark binaries in https://github.com/posit-dev/amalthea/releases are currently not signed. This makes it hard to download and use ark in Jupyter apps.