mirror of https://github.com/oxen-io/lokinet
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
74 lines
3.3 KiB
Plaintext
74 lines
3.3 KiB
Plaintext
Codesigning and notarization on macOS
|
|
|
|
This is painful. Thankfully most of the pain is now in CMake and a python script.
|
|
|
|
To build, codesign, and notarized and installer package, CMake needs to be invoked with:
|
|
|
|
cd build
|
|
rm -rf * # optional but recommended
|
|
cmake .. -DBUILD_PACKAGE=ON -DDOWNLOAD_SODIUM=ON -DMACOS_SIGN_APP=ABC123... -DMACOS_SIGN_PKG=DEF456...
|
|
|
|
where the ABC123... key is a "Developer ID Installer" key and PKG key is a "Developer ID
|
|
Application" key. You have to go through a bunch of pain, pay Apple money, and then read a bunch of
|
|
poorly written documentation that doesn't help very much to create these and get them working. But once you have them
|
|
set up in Keychain, you should be able to list your keys with:
|
|
|
|
security find-identity -v
|
|
|
|
and you should see (at least) one "Developer ID Installer: ..." and one "Developer ID Application:
|
|
...". You need both for reasons that only Apple knows. The former is used to sign the installer
|
|
.pkg, and the latter is used to sign everything *inside* the .pkg, and you can't use the same key
|
|
for both because Apple designed code signing by marketing committee rather than ask any actual
|
|
competent software developers how code signing should work.
|
|
|
|
Either way, these two values can be specified either by hex value or description string that
|
|
`security find-identity -v` spits out.
|
|
|
|
You also need to set up the notarization parameters; these can either be specified directly on the
|
|
cmake command line by adding:
|
|
|
|
-DMACOS_NOTARIZE_ASC=XYZ123 -DMACOS_NOTARIZE_USER=me@example.com -DMACOS_NOTARIZE_PASS=@keychain:codesigning-password
|
|
|
|
or, more simply, by putting them inside a `~/.notarization.cmake` file that will be included if it
|
|
exists (and the MACOS_SIGN_* variables are set) -- see below.
|
|
|
|
These three values here are:
|
|
|
|
MACOS_NOTARIZE_ASC:
|
|
|
|
Organization-specific unique value; this is printed inside (brackets) when you run: `security
|
|
find-identity -v`:
|
|
|
|
1) 1C75DDBF884DEF3D5927C3F29BB7FC5ADAE2E1B3 "Apple Development: me@example.com (ABC123XYZ9)"
|
|
|
|
MACOS_NOTARIZE_USER:
|
|
|
|
Your Apple Developer login.
|
|
|
|
MACOS_NOTARIZE_PASS:
|
|
|
|
This should be an app-specific password created for signing on the Apple Developer website. You
|
|
*can* specify it directly, but it is much better to use the magic `@keychain:blah` value, where
|
|
'blah' is a password name recorded in Keychain. To get that in place you run:
|
|
|
|
export HISTFILE='' # for bash: you don't want to store this in your history
|
|
xcrun altool --store-password-in-keychain-item "NOTARIZE_PASSWORD" -u "user" -p "password"
|
|
|
|
where NOTARIZE_PASSWORD is just some name for the password (I called it 'blah' or
|
|
'codesigning-password' above), and the "user" and "password" are replaced with your actual Apple
|
|
Developer account device-specific login credentials.
|
|
|
|
Optionally, put these last three inside a `~/.notarization.cmake` file:
|
|
|
|
set(MACOS_NOTARIZE_USER "jagerman@jagerman.com")
|
|
set(MACOS_NOTARIZE_PASS "@keychain:codesigning-password")
|
|
set(MACOS_NOTARIZE_ASC "SUQ8J2PCT7")
|
|
|
|
Then, finally, you can build the package from the build directory with:
|
|
|
|
make package -j4 # or whatever -j makes you happy
|
|
make notarize
|
|
|
|
The former builds and signs the package, the latter submits it for notarization. This can take a
|
|
few minutes; the script polls Apple's server until it is finished passing or failing notarization.
|