1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
osx build
=============
Cheat-sheet
------------------
tl;dr:
.. code:: bash
export RELEASE=yes
export OSXAPPPASS=my-apple-app-pass
make clean && make vendor && make build
make installer
make sign_installer
make notarize_installer
make notarize_staple
make create_dmg
Sign the release
-------------------
in recent osx releases, it's not ok to just sign the insallers anymore. you
have to sign and then notarize with their service. here are some notes that use
ad-hoc targets in the main makefile, but we should keep an eye on any future
integration of this process in the more or less official Qt tools (QTIFW).
First, we build the regular installer (use RELEASE=yes to do a codesign step
with macqtdeploy, note that this increases build time considerably):
.. code:: bash
make build
RELEASE=yes make installer
make sign_installer
Now we export the app-specific password and we proceed to notarization. If you
don't know what is this pass, you can create one in your Apple developer
account. Contact their friendly support for more info, but don't expect they
understand you do not really own any Apple Hardware. Sense of humor is not
universal.
Security -> App-specific passwords -> Generate
If you need to revoke these tokens, click on 'view history'.
https://appleid.apple.com/account/manage
According to https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow:
To avoid including your password as cleartext in a script, you can provide a
reference to a keychain item, as shown in the previous example. This assumes
the keychain holds a keychain item named AC_PASSWORD with an account value
matching the username AC_USERNAME.
.. code:: bash
export OSXAPPPASS=my-apple-app-pass
make notarize_installer
Between the output of the last command, you will get a Request UUID. You should pass that request uid in the appropriate
environment variable to check the status of the notarization process. Obviously, since the recent changes in Apple policies,
you need to be in posession of a valid membership
.. code:: bash
altool[5281:91963] No errors uploading 'build/installer/RiseupVPN-installer-0.20.4-175-gee4eb90.zip'.
RequestUUID = fe9a4324-bdcb-4c52-b857-f089dc904695
OSXMORDORUID=fe9a4324-bdcb-4c52-b857-f089dc904695 make notarize_check
xcrun altool --notarization-info fe9a4324-bdcb-4c52-b857-f089dc904695 -u "info@leap.se" -p my-apple-app-pass
2020-12-11 22:21:59.940 altool[5787:96428] No errors getting notarization info.
RequestUUID: fe9a4324-bdcb-4c52-b857-f089dc904695
Date: 2020-12-11 21:13:10 +0000
Status: success
LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma114/v4/0f/c9/1e/0fc91e64-2c9f-74e5-3cf6-96b8f3bf7170/developer_log.json?accessKey=1607916119_6680812212684569509_nLlPw6tYxTSiWZfFTb0atP9zZ3CEGDfW0btWV51xhjWHiCFqBt%2BneXd5Vp40eQCSx8e1W5PYCIe2db7JGbhoTeJsYxl7UmYssRvYpTxYJl8z90uwB9jkbS1fsd7niaAn%2BQs7xHdv%2BB9jaKQI8LJ%2BwYY8RPq1QaeCJxBIdeG44DY%3D
Status Code: 0
Status Message: Package Approved
If everything is ok, now you can finish the process, stapling the notarization info and creating the dmg.
.. code:: bash
make notarize_staple
make create_dmg
If everything went well, you should have a .dmg for your release under the `deploy` folder.
.. code:: bash
created: /Users/admin/leap/bitmask-vpn/deploy/RiseupVPN-0.20.4-175-gee4eb90.dmg
|