chore: macOS notarizing #1365
chore: macOS notarizing #1365
Conversation
lidel
force-pushed
the
fix/macos-notarizing
branch
from
6a459e2
to
69d4481
Compare
|
Relevant context for the macOS binary signing that we set up previously #66 (comment) |
lidel
force-pushed
the
fix/macos-notarizing
branch
from
55df677
to
1e055e5
Compare
|
@autonome We have no bandwidth nor full time maintainer atm. Let's go with semi-automatic notarization during release dance. Created a script for post-build online notarization (without stapling) – should be enough for now: $ node pkgs/macos/notarize-cli.js ./path/to/IPFS-Desktop-A.B.C.dmg(People download |
README.md
Outdated
| @@ -119,6 +119,9 @@ Other languages are periodically pulled from [Transifex](https://www.transifex.c | |||
| - Publish local changes and the tag to GitHub repo: `git push && git push origin vA.B.C` | |||
| - Wait for the CI to upload the binaries to the draft release (a new one will be created if you haven't drafted one). | |||
| - The `latest.yml, latest-mac.yml, latest-linux.yml` files on the release are used by the app to determine when an app update is available. Once a release is published, users should recieve the app update. See: https://www.electron.build/auto-update. | |||
| - Notarize `.dmg` at Apple (context: [#1365](https://github.com/ipfs-shipyard/ipfs-desktop/issues/1211)) | |||
| 1. Download `.dmg` from `https://github.com/ipfs-shipyard/ipfs-desktop/releases/vA.B.C` | |||
| 2. Run `node pkgs/macos/notarize-cli.js ./IPFS-Desktop-A.B.C.dmg` | |||
There was a problem hiding this comment.
What do you do w/ the notarized dmg? Commit back to repo?
There was a problem hiding this comment.
Should adding and editing the .env file be here too?
There was a problem hiding this comment.
what to do with notarized .dmg?
IIUC we would do nothing with notarized .dmg, just discard it for now. Goal is to inform Apple that this is a legit binary blob, so it can give thumbs up when someone's macOS asks about it in the future.
Why? We can't replace .dmg attached to GitHub Release with notarized version because checksum in latest-mac.yml would no longer match and that would break autoupdates.
But online notarization should still work: when macOS sees a new version of ipfs-desktop it will check for stapled notarization, won't find it, so it will fallback to asking Apple servers if running it is ok. Autoupdate requires internet connection anyway, so this non-stapled notarization should also work.
env
notarize-cli will inform user if env variables are missing, but I've added note about them in 99d0dfb
lidel
force-pushed
the
fix/macos-notarizing
branch
from
59b8905
to
69d7c9d
Compare
This adds scripts that run electron-notarize as additional manual or build steps on darvin runtime, loosly following https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/ Context: #1211 License: MIT Signed-off-by: Marcin Rataj <[email protected]>
electron-userland/electron-builder#3940 (comment) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
License: MIT Signed-off-by: Marcin Rataj <[email protected]>
electron-notarize-dmg is electron-notarize but supports DMG without stapling (which is what we want for now) License: MIT Signed-off-by: Marcin Rataj <[email protected]>
lidel
force-pushed
the
fix/macos-notarizing
branch
from
99d0dfb
to
0537b48
Compare
|
worth noting that we are depending on |
|
@olizilla yes, I pinned it for that very reason. For what its worth I checked code from NPM in (Manual cli notarization is a temporary solution until we get a full time maintainer who will have bandwidth for doing in on the CI safely) |
|
The underside of this iceberg required us to also
with all that in place, running returned without error. The overlord blessed us with an email.
|
|
Can confirm... on macos 10.15.3, trying to run ipfs-desktop 0.10.3 results in
while trying trying to run 0.10.4 now gives us a
|
very cool @lidel. did i mention that you are the best? |
|
@olizilla no, you are! thank you for pushing this through the finish line ❤️ |
Motivation
This PR aims to fix macOS Catalina issues described in #1211
Details
This adds scripts that run electron-notarize as additional manual or build steps on darwin runtime, loosely following https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/
pkgs/macos/notarize-build.js(not used for now)This runs as part of
darwinbuild as it was suggested on https://www.electron.build/code-signing.Skipped if
process.env.APPLEIDorprocess.env.APPLEIDPASSare not set at the build time. As there was no safe way to do it on TravisCI, we don't use it at CI atm.pkgs/macos/notarize-cli.js(should do for now)A standalone CLI tool that performs notarization of existing macOS artifact.
It enables us to notarize macOS artifact as a semi-automatic step during release dance:
node pkgs/macos/notarize-cli.js ./path/to/IPFS-Desktop-A.B.C.dmg