Thanks for this - mind pasting it as a gist for easy access? On Wed, Jul 10, 2019 at 9:59 PM Elvis Stansvik <elvst...@gmail.com> wrote:
> Den ons 10 juli 2019 kl 21:44 skrev Elvis Stansvik <elvst...@gmail.com>: > > > > Den ons 10 juli 2019 kl 21:20 skrev Adam Light <acli...@gmail.com>: > > > > > > > > > > > > On Wed, Jul 10, 2019 at 2:28 AM Elvis Stansvik <elvst...@gmail.com> > wrote: > > >> > > >> > > >> With "work around" do you mean from the user POV (e.g. somehow > > >> disabling Gatekeeper, or Ctrl+Open, or something else) or from a > > >> developer POV (so, having to notarize)? > > >> > > > > > > Instead of repeating myself here, please see my comment at > https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111 > which explains what I mean by "work around". I just added screen shots of > the dialogs I mentioned in that comment so it's clear what the user sees. > > > > > >> > > >> I'd like to know if there is some reasonably simple way for users to > > >> get around the requirement. We will not be able to notarize every > > >> build we do, because of the time it takes. But at the same time we, > > >> and our testers, must be able to test random builds from Git (we build > > >> a .dmg for every commit) to try out in-progress features/bug fixes... > > >> So I really hope there will be some way for the user to get around the > > >> notarization requirement. > > > > > > > > > Notarization doesn't take more than a few minutes (in my limited > experience) but it's a hassle to script the process. Your build machines > and possibly your testers will not need to have a notarized application > because, as I understand it, notarization is not required if the > application does not have a quarantine flag. If it's been downloaded via a > standard web browser, it should have the flag. But if it was built on the > machine, or if it was transferred from another machine using something like > curl, rsync, etc. then it is unlikely to have the quarantine flag. > > > > Yes, looking at our last tagged release build, the notarization step > > took 3 minutes 58 seconds.That's a doubling of our normal build time > > though, which is why we're hesitant to do it on every commit. That, > > and also I guess Apple don't really want people doing this anyway. > > > > Our testers normally pull the build artifacts using their web browser, > > so the downloaded .dmg will be quarantined. We could tell them to curl > > it of course, but we'd like to keep it as simple as possible for them > > to test a feature/bugfix in progress, and asking them to use a > > dedicated download tool goes against that. > > > > Scripting the notarization wasn't the painful thing. I made a quick > > Python script that does it, and it has worked fine since then. What > > This is the snippet, in case someone else finds it useful (note that > the --primary-bundle-id flag to altool is hard-coded in the script, so > you'll want to edit that): > > #!/usr/bin/env python3 > # > # Notarize a file > # > # Usage: notarize-macos.py <Apple ID username> <Apple ID password> <file> > # > > from argparse import ArgumentParser > from subprocess import check_output > from plistlib import loads > from time import sleep > > > def main(): > parser = ArgumentParser() > parser.add_argument('username', help='Apple ID user') > parser.add_argument('password', help='Apple ID password') > parser.add_argument('path', help='File to be notarized (e.g. .dmg)') > args = parser.parse_args() > > print('requesting notarization of {}...'.format(args.path)) > > request_uuid = loads(check_output([ > 'xcrun', > 'altool', > '--notarize-app', > '--primary-bundle-id', 'com.yourdomain.yourapp.dmg', > '--username', args.username, > '--password', args.password, > '--file', args.path, > '--output-format', 'xml' > ]))['notarization-upload']['RequestUUID'] > > for i in range(200): > response = loads(check_output([ > 'xcrun', > 'altool', > '--notarization-info', request_uuid, > '--username', args.username, > '--password', args.password, > '--output-format', 'xml' > ])) > if response['notarization-info']['Status'] == 'success': > print('notarization succeeded, see > {}'.format(response['notarization-info']['LogFileURL'])) > print('stapling notarization to {}'.format(args.path)) > print(check_output(['xcrun', 'stapler', 'staple', > args.path]).decode('utf-8')) > return > if response['notarization-info']['Status'] == 'invalid': > raise RuntimeError('notarization failed, response > was\n{}'.format(response)) > sleep(3) > > raise RuntimeError('notarization timed out, last response > was\n{}'.format(response)) > > > if __name__ == '__main__': > main() > > > bothers me is if it will make it harder for our testers. I wish Apple > > could state clearly whether the user will be allowed to override this > > check (à la Ctrl-click -> Open instead of doubleclicking, which you > > can use to bypass certificate verification). > > > > Elvis > > > > > > > > Of course, it is possible that in the future the quarantine flag will > not control whether the notarization check happens, so what I said in the > paragraph above may change. > > > > > > Adam > > > > > > _______________________________________________ > > > Interest mailing list > > > Interest@qt-project.org > > > https://lists.qt-project.org/listinfo/interest > _______________________________________________ > Interest mailing list > Interest@qt-project.org > https://lists.qt-project.org/listinfo/interest >
_______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
