search

tauri-apps / tauri

Build smaller, faster, and more secure desktop and mobile applications with a web frontend.
https://tauri.app
Apache License 2.0
85.4k stars 2.58k forks source link

[bug] macOS binary is being signed and notarized twice #6052

Open goenning opened 1 year ago

goenning commented 1 year ago

Describe the bug

When building a release bundle of my app, I noticed that Tauri is signing and notarizing the app twice. See these logs:

   Compiling aptakube v0.0.0 (/Users/goenning/Documents/github/aptakube/src-tauri)
    Finished release [optimized] target(s) in 15.25s
   Compiling aptakube v0.0.0 (/Users/goenning/Documents/github/aptakube/src-tauri)
    Finished release [optimized] target(s) in 13.81s
    Bundling Aptakube.app (/Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app)
     Signing /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app with identity "0BC7E248BD53924742CB630DD2327E7DD417E3AD"
     Signing /var/folders/6j/mb7yg2ps0qx1jfswmz3h4kjc0000gn/T/.tmpbhkauo/Aptakube.zip with identity "0BC7E248BD53924742CB630DD2327E7DD417E3AD"
  Notarizing /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app
        Info notarization started; waiting for Apple response...
    Bundling Aptakube_1.0.1_universal.dmg (/Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/dmg/Aptakube_1.0.1_universal.dmg)
     Running bundle_dmg.sh
     Signing /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/dmg/Aptakube_1.0.1_universal.dmg with identity "0BC7E248BD53924742CB630DD2327E7DD417E3AD"
    Bundling Aptakube.app (/Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app)
     Signing /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app with identity "0BC7E248BD53924742CB630DD2327E7DD417E3AD"
     Signing /var/folders/6j/mb7yg2ps0qx1jfswmz3h4kjc0000gn/T/.tmp3kkqQl/Aptakube.zip with identity "0BC7E248BD53924742CB630DD2327E7DD417E3AD"
  Notarizing /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app
        Info notarization started; waiting for Apple response...
    Bundling /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app.tar.gz (/Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app.tar.gz)
    Finished 2 bundles at:
        /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/dmg/Aptakube_1.0.1_universal.dmg
        /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app.tar.gz (updater)

        Info 1 updater archive at:
        Info         /Users/goenning/Documents/github/aptakube/src-tauri/target/universal-apple-darwin/release/bundle/macos/Aptakube.app.tar.gz.sig

Reproduction

No response

Expected behavior

I would expect Tauri to do it once. I can also verify it's doing it twice because I get 2 emails from Apple with the subject Your Mac software was successfully notarized

Platform and versions

Environment
  › OS: Mac OS 13.1.0 X64
  › Node.js: 18.12.1
  › npm: 8.9.0
  › pnpm: 7.6.0
  › yarn: 1.22.19
  › rustup: 1.25.1
  › rustc: 1.65.0
  › cargo: 1.65.0
  › Rust toolchain: stable-aarch64-apple-darwin 

Packages
  › @tauri-apps/cli [NPM]: 1.2.2
  › @tauri-apps/api [NPM]: 1.2.0
  › tauri [RUST]: 1.2.3,
  › tauri-build [RUST]: 1.2.1,
  › tao [RUST]: 0.15.6,
  › wry [RUST]: 0.23.4,

App
  › build-type: bundle
  › CSP: unset
  › distDir: ../dist
  › devPath: http://localhost:5173/
  › framework: SolidJS
  › bundler: Vite

App directory structure
  ├─ design
  ├─ dist
  ├─ node_modules
  ├─ etc
  ├─ examples
  ├─ .github
  ├─ src-tauri
  ├─ .git
  ├─ .vscode
  ├─ coverage
  └─ src

Stack trace

No response

Additional context

No response

JonasKruckenberg commented 1 year ago

It actually also seems that it built the app twice if you look at the beginning of the log. Can you share the CI workflow you used for this?

goenning commented 1 year ago

I'm building it locally with:

APPLE_SIGNING_IDENTITY="0BC7E248BD53924742CB630DD2327E7DD417E3AD" \
TAURI_KEY_PASSWORD="REDACTED" \
TAURI_PRIVATE_KEY=$(pwd)/etc/build/aptakube.key \
npx tauri build --target universal-apple-darwin
JonasKruckenberg commented 1 year ago

Ah alright, so building twice is expected bc it's a universal build. I don't know about how universal builds are supposed to work here (technically it's just two binaries in one package after all) but double signing doesn't seem like it's supposed to be like that

Edit: I assume the resulting app also doesn't work?

goenning commented 1 year ago

The app works fine, no issue at all.

It's just the slowness of signing it twice as it requires response from apple.