macOS Notarization test builds

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

macOS Notarization test builds

Jim Jagielski
Located at

    https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/

Are some test macOS dmgs that should be correctly signed and notarized such that they do not trigger Gatekeeper; that is, they should result in AOO opening on macOS without any warning about unknown developer.

Please check that this does, in fact, happen ;) If not, then instead of signing, notarizing and stapling the DMG we will need to do the actual app itself, which means some changes to the actual AOO build and packaging process... which I hope we don't need :)

thx!
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Branko Čibej
On 31.10.2019 19:49, Jim Jagielski wrote:
> Located at
>
>     https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
>
> Are some test macOS dmgs that should be correctly signed and notarized such that they do not trigger Gatekeeper; that is, they should result in AOO opening on macOS without any warning about unknown developer.
>
> Please check that this does, in fact, happen ;) If not, then instead of signing, notarizing and stapling the DMG we will need to do the actual app itself, which means some changes to the actual AOO build and packaging process... which I hope we don't need :)


Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not enough.

-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Gavin McDonald-2
Confirmed it still complains - 10.14.3

Gav...

On Thu, Oct 31, 2019 at 9:21 PM Branko Čibej <[hidden email]> wrote:

> On 31.10.2019 19:49, Jim Jagielski wrote:
> > Located at
> >
> >     https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
> >
> > Are some test macOS dmgs that should be correctly signed and notarized
> such that they do not trigger Gatekeeper; that is, they should result in
> AOO opening on macOS without any warning about unknown developer.
> >
> > Please check that this does, in fact, happen ;) If not, then instead of
> signing, notarizing and stapling the DMG we will need to do the actual app
> itself, which means some changes to the actual AOO build and packaging
> process... which I hope we don't need :)
>
>
> Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not
> enough.
>
> -- Brane
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Dave Fisher-2
Hi -

I am on macOS 10.15 Catalina and for me Notarization is an improvement.

Here is the screen shot from clicking on the App from the new notarized DMG:


And here is the message from OpenOffice install from Jim’s test unnotarized 4.1.7 from this summer:



I would call this success.

Notarization is an improvement specifically for Catalina.

Regards,
Dave

On Nov 1, 2019, at 5:39 AM, Gavin McDonald <[hidden email]> wrote:

Confirmed it still complains - 10.14.3

Gav...

On Thu, Oct 31, 2019 at 9:21 PM Branko Čibej <[hidden email]> wrote:

On 31.10.2019 19:49, Jim Jagielski wrote:
Located at

   https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/

Are some test macOS dmgs that should be correctly signed and notarized
such that they do not trigger Gatekeeper; that is, they should result in
AOO opening on macOS without any warning about unknown developer.

Please check that this does, in fact, happen ;) If not, then instead of
signing, notarizing and stapling the DMG we will need to do the actual app
itself, which means some changes to the actual AOO build and packaging
process... which I hope we don't need :)


Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not
enough.

-- Brane


---------------------------------------------------------------------
To unsubscribe, [hidden email]
For additional commands, [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Marcus (OOo)
Am 01.11.19 um 08:07 schrieb Dave Fisher:
> I am on macOS 10.15 Catalina and for me Notarization is an improvement.

I also think it's better. At the moment the user has the options "Move
to Trash" or "Cancel". Now with signed files there is an "Open" button.
So, of course this is an improvement. ;-)

Marcus



> Here is the screen shot from clicking on the App from the new notarized DMG:
>
>
> And here is the message from OpenOffice install from Jim’s test
> unnotarized 4.1.7 from this summer:
>
>
>
> I would call this success.
>
> Notarization is an improvement specifically for Catalina.
>
> Regards,
> Dave
>
>> On Nov 1, 2019, at 5:39 AM, Gavin McDonald <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>> Confirmed it still complains - 10.14.3
>>
>> Gav...
>>
>> On Thu, Oct 31, 2019 at 9:21 PM Branko Čibej <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>> On 31.10.2019 19:49, Jim Jagielski wrote:
>>>> Located at
>>>>
>>>> https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
>>>>
>>>> Are some test macOS dmgs that should be correctly signed and notarized
>>> such that they do not trigger Gatekeeper; that is, they should result in
>>> AOO opening on macOS without any warning about unknown developer.
>>>>
>>>> Please check that this does, in fact, happen ;) If not, then instead of
>>> signing, notarizing and stapling the DMG we will need to do the
>>> actual app
>>> itself, which means some changes to the actual AOO build and packaging
>>> process... which I hope we don't need :)
>>>
>>>
>>> Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not
>>> enough.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Jim Jagielski
In reply to this post by Branko Čibej


> On Oct 31, 2019, at 5:20 PM, Branko Čibej <[hidden email]> wrote:
>
> On 31.10.2019 19:49, Jim Jagielski wrote:
>> Located at
>>
>>    https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
>>
>> Are some test macOS dmgs that should be correctly signed and notarized such that they do not trigger Gatekeeper; that is, they should result in AOO opening on macOS without any warning about unknown developer.
>>
>> Please check that this does, in fact, happen ;) If not, then instead of signing, notarizing and stapling the DMG we will need to do the actual app itself, which means some changes to the actual AOO build and packaging process... which I hope we don't need :)
>
>
> Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not enough.
>

As I feared... I'll start looking at where to plug-in the additional steps.

Most likely, we'll need to separate out, functionally in the build setup, creating the binary and the packaging... something like:

   $ build.pl" --all (stops before we bundle things up)
   $ dmake package (rpm and deb for Linux, dmg for macOS)


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Dave Fisher-2
Jim,

It worked for Catalina and that is the goal. I don’t think a difference should be expected for macOS prior to 10.15.

Please check with Apple Developer documentation before letting FUD get you!

Regards,
Dave

> On Nov 1, 2019, at 6:40 PM, Jim Jagielski <[hidden email]> wrote:
>
>
>
>> On Oct 31, 2019, at 5:20 PM, Branko Čibej <[hidden email]> wrote:
>>
>> On 31.10.2019 19:49, Jim Jagielski wrote:
>>> Located at
>>>
>>>   https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
>>>
>>> Are some test macOS dmgs that should be correctly signed and notarized such that they do not trigger Gatekeeper; that is, they should result in AOO opening on macOS without any warning about unknown developer.
>>>
>>> Please check that this does, in fact, happen ;) If not, then instead of signing, notarizing and stapling the DMG we will need to do the actual app itself, which means some changes to the actual AOO build and packaging process... which I hope we don't need :)
>>
>>
>> Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not enough.
>>
>
> As I feared... I'll start looking at where to plug-in the additional steps.
>
> Most likely, we'll need to separate out, functionally in the build setup, creating the binary and the packaging... something like:
>
>   $ build.pl" --all (stops before we bundle things up)
>   $ dmake package (rpm and deb for Linux, dmg for macOS)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Jim Jagielski
I don't mind spending some cycles on figuring out how to sign the actual app before it's packaged into the dmg...

Does anyone know if there is a build.pl option that sez "stop before packaging"? I don't see any from what I can see...

> On Nov 1, 2019, at 7:11 AM, Dave Fisher <[hidden email]> wrote:
>
> Jim,
>
> It worked for Catalina and that is the goal. I don’t think a difference should be expected for macOS prior to 10.15.
>
> Please check with Apple Developer documentation before letting FUD get you!
>
> Regards,
> Dave
>
>> On Nov 1, 2019, at 6:40 PM, Jim Jagielski <[hidden email]> wrote:
>>
>>
>>
>>> On Oct 31, 2019, at 5:20 PM, Branko Čibej <[hidden email]> wrote:
>>>
>>> On 31.10.2019 19:49, Jim Jagielski wrote:
>>>> Located at
>>>>
>>>>  https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
>>>>
>>>> Are some test macOS dmgs that should be correctly signed and notarized such that they do not trigger Gatekeeper; that is, they should result in AOO opening on macOS without any warning about unknown developer.
>>>>
>>>> Please check that this does, in fact, happen ;) If not, then instead of signing, notarizing and stapling the DMG we will need to do the actual app itself, which means some changes to the actual AOO build and packaging process... which I hope we don't need :)
>>>
>>>
>>> Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not enough.
>>>
>>
>> As I feared... I'll start looking at where to plug-in the additional steps.
>>
>> Most likely, we'll need to separate out, functionally in the build setup, creating the binary and the packaging... something like:
>>
>>  $ build.pl" --all (stops before we bundle things up)
>>  $ dmake package (rpm and deb for Linux, dmg for macOS)
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Dave Fisher-2
Hi Jim,

> On Nov 1, 2019, at 7:18 PM, Jim Jagielski <[hidden email]> wrote:
>
> I don't mind spending some cycles on figuring out how to sign the actual app before it's packaged into the dmg...

Sure we can see if that makes a difference, but the first question is if notarization makes any difference on any macOS from before 10.15.

See https://developer.apple.com/library/archive/technotes/tn2206/_index.html

Look at “Signing Disk Images”

I think further exploration involves looking into how GateKeeper has changed with each macOS version.

Regards,
Dave

>
> Does anyone know if there is a build.pl option that sez "stop before packaging"? I don't see any from what I can see...
>
>> On Nov 1, 2019, at 7:11 AM, Dave Fisher <[hidden email]> wrote:
>>
>> Jim,
>>
>> It worked for Catalina and that is the goal. I don’t think a difference should be expected for macOS prior to 10.15.
>>
>> Please check with Apple Developer documentation before letting FUD get you!
>>
>> Regards,
>> Dave
>>
>>> On Nov 1, 2019, at 6:40 PM, Jim Jagielski <[hidden email]> wrote:
>>>
>>>
>>>
>>>> On Oct 31, 2019, at 5:20 PM, Branko Čibej <[hidden email]> wrote:
>>>>
>>>> On 31.10.2019 19:49, Jim Jagielski wrote:
>>>>> Located at
>>>>>
>>>>> https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
>>>>>
>>>>> Are some test macOS dmgs that should be correctly signed and notarized such that they do not trigger Gatekeeper; that is, they should result in AOO opening on macOS without any warning about unknown developer.
>>>>>
>>>>> Please check that this does, in fact, happen ;) If not, then instead of signing, notarizing and stapling the DMG we will need to do the actual app itself, which means some changes to the actual AOO build and packaging process... which I hope we don't need :)
>>>>
>>>>
>>>> Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not enough.
>>>>
>>>
>>> As I feared... I'll start looking at where to plug-in the additional steps.
>>>
>>> Most likely, we'll need to separate out, functionally in the build setup, creating the binary and the packaging... something like:
>>>
>>> $ build.pl" --all (stops before we bundle things up)
>>> $ dmake package (rpm and deb for Linux, dmg for macOS)
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Dave Fisher-2


> On Nov 1, 2019, at 7:35 PM, Dave Fisher <[hidden email]> wrote:
>
> Hi Jim,
>
>> On Nov 1, 2019, at 7:18 PM, Jim Jagielski <[hidden email]> wrote:
>>
>> I don't mind spending some cycles on figuring out how to sign the actual app before it's packaged into the dmg...
>
> Sure we can see if that makes a difference, but the first question is if notarization makes any difference on any macOS from before 10.15.
>
> See https://developer.apple.com/library/archive/technotes/tn2206/_index.html
>
> Look at “Signing Disk Images”
>
> I think further exploration involves looking into how GateKeeper has changed with each macOS version.

This resource might help too.

https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution

Regards,
Dave

>
> Regards,
> Dave
>
>>
>> Does anyone know if there is a build.pl option that sez "stop before packaging"? I don't see any from what I can see...
>>
>>> On Nov 1, 2019, at 7:11 AM, Dave Fisher <[hidden email]> wrote:
>>>
>>> Jim,
>>>
>>> It worked for Catalina and that is the goal. I don’t think a difference should be expected for macOS prior to 10.15.
>>>
>>> Please check with Apple Developer documentation before letting FUD get you!
>>>
>>> Regards,
>>> Dave
>>>
>>>> On Nov 1, 2019, at 6:40 PM, Jim Jagielski <[hidden email]> wrote:
>>>>
>>>>
>>>>
>>>>> On Oct 31, 2019, at 5:20 PM, Branko Čibej <[hidden email]> wrote:
>>>>>
>>>>> On 31.10.2019 19:49, Jim Jagielski wrote:
>>>>>> Located at
>>>>>>
>>>>>> https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
>>>>>>
>>>>>> Are some test macOS dmgs that should be correctly signed and notarized such that they do not trigger Gatekeeper; that is, they should result in AOO opening on macOS without any warning about unknown developer.
>>>>>>
>>>>>> Please check that this does, in fact, happen ;) If not, then instead of signing, notarizing and stapling the DMG we will need to do the actual app itself, which means some changes to the actual AOO build and packaging process... which I hope we don't need :)
>>>>>
>>>>>
>>>>> Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not enough.
>>>>>
>>>>
>>>> As I feared... I'll start looking at where to plug-in the additional steps.
>>>>
>>>> Most likely, we'll need to separate out, functionally in the build setup, creating the binary and the packaging... something like:
>>>>
>>>> $ build.pl" --all (stops before we bundle things up)
>>>> $ dmake package (rpm and deb for Linux, dmg for macOS)
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Jim Jagielski


> On Nov 1, 2019, at 7:39 AM, Dave Fisher <[hidden email]> wrote:
>
>
>
>> On Nov 1, 2019, at 7:35 PM, Dave Fisher <[hidden email]> wrote:
>>
>> Hi Jim,
>>
>>> On Nov 1, 2019, at 7:18 PM, Jim Jagielski <[hidden email]> wrote:
>>>
>>> I don't mind spending some cycles on figuring out how to sign the actual app before it's packaged into the dmg...
>>
>> Sure we can see if that makes a difference, but the first question is if notarization makes any difference on any macOS from before 10.15.
>>
>> See https://developer.apple.com/library/archive/technotes/tn2206/_index.html
>>
>> Look at “Signing Disk Images”
>>
>> I think further exploration involves looking into how GateKeeper has changed with each macOS version.
>
> This resource might help too.
>
> https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution <https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution>
>

Yes, this link, and others, have been what I've been reviewing

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Jim Jagielski
FWIW, this link seems to imply that simply signing and notarizing the DMG should be enough:

    https://forums.developer.apple.com/thread/121813
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: macOS Notarization test builds

Branko Čibej
In reply to this post by Dave Fisher-2
On 01.11.2019 12:11, Dave Fisher wrote:
> Jim,
>
> It worked for Catalina and that is the goal. I don’t think a difference should be expected for macOS prior to 10.15.
>
> Please check with Apple Developer documentation before letting FUD get you!


Come on, it's not FUD. Just a normal install on 10.14: opening the DMG,
copying AOO to /Applications and running it from there, macOS Mojave
will *not* allow it until you jump through the hoops of System Preferences.

Having such an important piece of software properly signed for Windows
and macOS is simply a basic requirement (has been for years, really)
and, IMNSHO, it should be Infra that provides the required services to
do so, for builds created on our infrastructure, not Joe "Random" Developer.

-- Brane


>> On Nov 1, 2019, at 6:40 PM, Jim Jagielski <[hidden email]> wrote:
>>
>>
>>
>>> On Oct 31, 2019, at 5:20 PM, Branko Čibej <[hidden email]> wrote:
>>>
>>> On 31.10.2019 19:49, Jim Jagielski wrote:
>>>> Located at
>>>>
>>>>   https://home.apache.org/~jim/AOO-builds/AOO418-macOS-test/
>>>>
>>>> Are some test macOS dmgs that should be correctly signed and notarized such that they do not trigger Gatekeeper; that is, they should result in AOO opening on macOS without any warning about unknown developer.
>>>>
>>>> Please check that this does, in fact, happen ;) If not, then instead of signing, notarizing and stapling the DMG we will need to do the actual app itself, which means some changes to the actual AOO build and packaging process... which I hope we don't need :)
>>>
>>> Nope, sorry (macOS 10.14.6). Still complains. Signing the DMG is not enough.
>>>
>> As I feared... I'll start looking at where to plug-in the additional steps.
>>
>> Most likely, we'll need to separate out, functionally in the build setup, creating the binary and the packaging... something like:
>>
>>   $ build.pl" --all (stops before we bundle things up)
>>   $ dmake package (rpm and deb for Linux, dmg for macOS)
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]