summaryrefslogtreecommitdiff
path: root/docs/build-osx.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/build-osx.rst')
-rw-r--r--docs/build-osx.rst91
1 files changed, 91 insertions, 0 deletions
diff --git a/docs/build-osx.rst b/docs/build-osx.rst
new file mode 100644
index 0000000..32ba29d
--- /dev/null
+++ b/docs/build-osx.rst
@@ -0,0 +1,91 @@
+osx build
+=============
+
+Cheat-sheet
+------------------
+
+tl;dr:
+
+.. code:: bash
+
+ export RELEASE=yes
+ export OSXAPPPASS=my-apple-app-pass
+ make clean && make vendor && make build
+ make installer
+ make sign_installer
+ make notarize_installer
+ make notarize_staple
+ make create_dmg
+
+Sign the release
+-------------------
+
+in recent osx releases, it's not ok to just sign the insallers anymore. you
+have to sign and then notarize with their service. here are some notes that use
+ad-hoc targets in the main makefile, but we should keep an eye on any future
+integration of this process in the more or less official Qt tools (QTIFW).
+
+First, we build the regular installer (use RELEASE=yes to do a codesign step
+with macqtdeploy, note that this increases build time considerably):
+
+.. code:: bash
+
+ make build
+ RELEASE=yes make installer
+ make sign_installer
+
+Now we export the app-specific password and we proceed to notarization. If you
+don't know what is this pass, you can create one in your Apple developer
+account. Contact their friendly support for more info, but don't expect they
+understand you do not really own any Apple Hardware. Sense of humor is not
+universal.
+
+Security -> App-specific passwords -> Generate
+If you need to revoke these tokens, click on 'view history'.
+
+https://appleid.apple.com/account/manage
+
+According to https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow:
+
+To avoid including your password as cleartext in a script, you can provide a
+reference to a keychain item, as shown in the previous example. This assumes
+the keychain holds a keychain item named AC_PASSWORD with an account value
+matching the username AC_USERNAME.
+
+.. code:: bash
+
+ export OSXAPPPASS=my-apple-app-pass
+ make notarize_installer
+
+Between the output of the last command, you will get a Request UUID. You should pass that request uid in the appropriate
+environment variable to check the status of the notarization process. Obviously, since the recent changes in Apple policies,
+you need to be in posession of a valid membership
+
+.. code:: bash
+
+ altool[5281:91963] No errors uploading 'build/installer/RiseupVPN-installer-0.20.4-175-gee4eb90.zip'.
+ RequestUUID = fe9a4324-bdcb-4c52-b857-f089dc904695
+
+ OSXMORDORUID=fe9a4324-bdcb-4c52-b857-f089dc904695 make notarize_check
+ xcrun altool --notarization-info fe9a4324-bdcb-4c52-b857-f089dc904695 -u "info@leap.se" -p my-apple-app-pass
+ 2020-12-11 22:21:59.940 altool[5787:96428] No errors getting notarization info.
+
+ RequestUUID: fe9a4324-bdcb-4c52-b857-f089dc904695
+ Date: 2020-12-11 21:13:10 +0000
+ Status: success
+ LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma114/v4/0f/c9/1e/0fc91e64-2c9f-74e5-3cf6-96b8f3bf7170/developer_log.json?accessKey=1607916119_6680812212684569509_nLlPw6tYxTSiWZfFTb0atP9zZ3CEGDfW0btWV51xhjWHiCFqBt%2BneXd5Vp40eQCSx8e1W5PYCIe2db7JGbhoTeJsYxl7UmYssRvYpTxYJl8z90uwB9jkbS1fsd7niaAn%2BQs7xHdv%2BB9jaKQI8LJ%2BwYY8RPq1QaeCJxBIdeG44DY%3D
+ Status Code: 0
+ Status Message: Package Approved
+
+If everything is ok, now you can finish the process, stapling the notarization info and creating the dmg.
+
+.. code:: bash
+
+ make notarize_staple
+ make create_dmg
+
+If everything went well, you should have a .dmg for your release under the `deploy` folder.
+
+.. code:: bash
+
+ created: /Users/admin/leap/bitmask-vpn/deploy/RiseupVPN-0.20.4-175-gee4eb90.dmg