summaryrefslogtreecommitdiff
path: root/docs/build.osx.rst
blob: 7e145a5a91f6182784e199780b0a6896dfa1f169 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
osx build
=============

Cheat-sheet
------------------

tl;dr:

.. code:: bash
  export RELEASE=yes
  export OSXAPPPASS=my-apple-app-pass
  make clean && make vendor && make build
  make installer
  make sign_installer
  make notarize_installer
  make notarize_staple
  make create_dmg

Sign the release
-------------------

in recent osx releases, it's not ok to just sign the insallers anymore. you
have to sign and then notarize with their service. here are some notes that use
ad-hoc targets in the main makefile, but we should keep an eye on any future
integration of this process in the more or less official Qt tools (QTIFW).

First, we build the regular installer (use RELEASE=yes to do a codesign step
with macqtdeploy, note that this increases build time considerably):

.. code:: bash
  make build
  RELEASE=yes make installer
  make sign_installer

Now we export the app-specific password and we proceed to notarization. If you
don't know what is this pass, you can create one in your Apple developer
account. Contact their friendly support for more info, but don't expect they
understand you do not really own any Apple Hardware. Sense of humor is not
universal.

Security -> App-specific passwords -> Generate
If you need to revoke these tokens, click on 'view history'.

https://appleid.apple.com/account/manage

According to https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow:

To avoid including your password as cleartext in a script, you can provide a
reference to a keychain item, as shown in the previous example. This assumes
the keychain holds a keychain item named AC_PASSWORD with an account value
matching the username AC_USERNAME.

.. code:: bash

  export OSXAPPPASS=my-apple-app-pass
  make notarize_installer

Between the output of the last command, you will get a Request UUID. You should pass that request uid in the appropriate 
environment variable to check the status of the notarization process. Obviously, since the recent changes in Apple policies,
you need to be in posession of a valid membership

.. code:: bash
  altool[5281:91963] No errors uploading 'build/installer/RiseupVPN-installer-0.20.4-175-gee4eb90.zip'.
  RequestUUID = fe9a4324-bdcb-4c52-b857-f089dc904695
  
  OSXMORDORUID=fe9a4324-bdcb-4c52-b857-f089dc904695 make notarize_check
  xcrun altool --notarization-info fe9a4324-bdcb-4c52-b857-f089dc904695 -u "info@leap.se" -p my-apple-app-pass
  2020-12-11 22:21:59.940 altool[5787:96428] No errors getting notarization info.
  
     RequestUUID: fe9a4324-bdcb-4c52-b857-f089dc904695
            Date: 2020-12-11 21:13:10 +0000
          Status: success
      LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma114/v4/0f/c9/1e/0fc91e64-2c9f-74e5-3cf6-96b8f3bf7170/developer_log.json?accessKey=1607916119_6680812212684569509_nLlPw6tYxTSiWZfFTb0atP9zZ3CEGDfW0btWV51xhjWHiCFqBt%2BneXd5Vp40eQCSx8e1W5PYCIe2db7JGbhoTeJsYxl7UmYssRvYpTxYJl8z90uwB9jkbS1fsd7niaAn%2BQs7xHdv%2BB9jaKQI8LJ%2BwYY8RPq1QaeCJxBIdeG44DY%3D
     Status Code: 0
  Status Message: Package Approved

If everything is ok, now you can finish the process, stapling the notarization info and creating the dmg.

.. code:: bash
  make notarize_staple
  make create_dmg

If everything went well, you should have a .dmg for your release under the `deploy` folder.

.. code:: bash
  created: /Users/admin/leap/bitmask-vpn/deploy/RiseupVPN-0.20.4-175-gee4eb90.dmg