Den tors 11 juli 2019 kl 06:49 skrev Vadim Peretokin <[email protected]>: > > Thanks for this - mind pasting it as a gist for easy access?
Here it is: https://gist.github.com/estan/505cd5b4c18d80f1dd17ac2ea0f6c69e Elvis > > On Wed, Jul 10, 2019 at 9:59 PM Elvis Stansvik <[email protected]> wrote: >> >> Den ons 10 juli 2019 kl 21:44 skrev Elvis Stansvik <[email protected]>: >> > >> > Den ons 10 juli 2019 kl 21:20 skrev Adam Light <[email protected]>: >> > > >> > > >> > > >> > > On Wed, Jul 10, 2019 at 2:28 AM Elvis Stansvik <[email protected]> >> > > wrote: >> > >> >> > >> >> > >> With "work around" do you mean from the user POV (e.g. somehow >> > >> disabling Gatekeeper, or Ctrl+Open, or something else) or from a >> > >> developer POV (so, having to notarize)? >> > >> >> > > >> > > Instead of repeating myself here, please see my comment at >> > > https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111 >> > > which explains what I mean by "work around". I just added screen shots >> > > of the dialogs I mentioned in that comment so it's clear what the user >> > > sees. >> > > >> > >> >> > >> I'd like to know if there is some reasonably simple way for users to >> > >> get around the requirement. We will not be able to notarize every >> > >> build we do, because of the time it takes. But at the same time we, >> > >> and our testers, must be able to test random builds from Git (we build >> > >> a .dmg for every commit) to try out in-progress features/bug fixes... >> > >> So I really hope there will be some way for the user to get around the >> > >> notarization requirement. >> > > >> > > >> > > Notarization doesn't take more than a few minutes (in my limited >> > > experience) but it's a hassle to script the process. Your build machines >> > > and possibly your testers will not need to have a notarized application >> > > because, as I understand it, notarization is not required if the >> > > application does not have a quarantine flag. If it's been downloaded via >> > > a standard web browser, it should have the flag. But if it was built on >> > > the machine, or if it was transferred from another machine using >> > > something like curl, rsync, etc. then it is unlikely to have the >> > > quarantine flag. >> > >> > Yes, looking at our last tagged release build, the notarization step >> > took 3 minutes 58 seconds.That's a doubling of our normal build time >> > though, which is why we're hesitant to do it on every commit. That, >> > and also I guess Apple don't really want people doing this anyway. >> > >> > Our testers normally pull the build artifacts using their web browser, >> > so the downloaded .dmg will be quarantined. We could tell them to curl >> > it of course, but we'd like to keep it as simple as possible for them >> > to test a feature/bugfix in progress, and asking them to use a >> > dedicated download tool goes against that. >> > >> > Scripting the notarization wasn't the painful thing. I made a quick >> > Python script that does it, and it has worked fine since then. What >> >> This is the snippet, in case someone else finds it useful (note that >> the --primary-bundle-id flag to altool is hard-coded in the script, so >> you'll want to edit that): >> >> #!/usr/bin/env python3 >> # >> # Notarize a file >> # >> # Usage: notarize-macos.py <Apple ID username> <Apple ID password> <file> >> # >> >> from argparse import ArgumentParser >> from subprocess import check_output >> from plistlib import loads >> from time import sleep >> >> >> def main(): >> parser = ArgumentParser() >> parser.add_argument('username', help='Apple ID user') >> parser.add_argument('password', help='Apple ID password') >> parser.add_argument('path', help='File to be notarized (e.g. .dmg)') >> args = parser.parse_args() >> >> print('requesting notarization of {}...'.format(args.path)) >> >> request_uuid = loads(check_output([ >> 'xcrun', >> 'altool', >> '--notarize-app', >> '--primary-bundle-id', 'com.yourdomain.yourapp.dmg', >> '--username', args.username, >> '--password', args.password, >> '--file', args.path, >> '--output-format', 'xml' >> ]))['notarization-upload']['RequestUUID'] >> >> for i in range(200): >> response = loads(check_output([ >> 'xcrun', >> 'altool', >> '--notarization-info', request_uuid, >> '--username', args.username, >> '--password', args.password, >> '--output-format', 'xml' >> ])) >> if response['notarization-info']['Status'] == 'success': >> print('notarization succeeded, see >> {}'.format(response['notarization-info']['LogFileURL'])) >> print('stapling notarization to {}'.format(args.path)) >> print(check_output(['xcrun', 'stapler', 'staple', >> args.path]).decode('utf-8')) >> return >> if response['notarization-info']['Status'] == 'invalid': >> raise RuntimeError('notarization failed, response >> was\n{}'.format(response)) >> sleep(3) >> >> raise RuntimeError('notarization timed out, last response >> was\n{}'.format(response)) >> >> >> if __name__ == '__main__': >> main() >> >> > bothers me is if it will make it harder for our testers. I wish Apple >> > could state clearly whether the user will be allowed to override this >> > check (à la Ctrl-click -> Open instead of doubleclicking, which you >> > can use to bypass certificate verification). >> > >> > Elvis >> > >> > > >> > > Of course, it is possible that in the future the quarantine flag will >> > > not control whether the notarization check happens, so what I said in >> > > the paragraph above may change. >> > > >> > > Adam >> > > >> > > _______________________________________________ >> > > Interest mailing list >> > > [email protected] >> > > https://lists.qt-project.org/listinfo/interest >> _______________________________________________ >> Interest mailing list >> [email protected] >> https://lists.qt-project.org/listinfo/interest _______________________________________________ Interest mailing list [email protected] https://lists.qt-project.org/listinfo/interest
