Den ons 10 juli 2019 kl 21:44 skrev Elvis Stansvik <elvst...@gmail.com>: > > Den ons 10 juli 2019 kl 21:20 skrev Adam Light <acli...@gmail.com>: > > > > > > > > On Wed, Jul 10, 2019 at 2:28 AM Elvis Stansvik <elvst...@gmail.com> wrote: > >> > >> > >> With "work around" do you mean from the user POV (e.g. somehow > >> disabling Gatekeeper, or Ctrl+Open, or something else) or from a > >> developer POV (so, having to notarize)? > >> > > > > Instead of repeating myself here, please see my comment at > > https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111 > > which explains what I mean by "work around". I just added screen shots of > > the dialogs I mentioned in that comment so it's clear what the user sees. > > > >> > >> I'd like to know if there is some reasonably simple way for users to > >> get around the requirement. We will not be able to notarize every > >> build we do, because of the time it takes. But at the same time we, > >> and our testers, must be able to test random builds from Git (we build > >> a .dmg for every commit) to try out in-progress features/bug fixes... > >> So I really hope there will be some way for the user to get around the > >> notarization requirement. > > > > > > Notarization doesn't take more than a few minutes (in my limited > > experience) but it's a hassle to script the process. Your build machines > > and possibly your testers will not need to have a notarized application > > because, as I understand it, notarization is not required if the > > application does not have a quarantine flag. If it's been downloaded via a > > standard web browser, it should have the flag. But if it was built on the > > machine, or if it was transferred from another machine using something like > > curl, rsync, etc. then it is unlikely to have the quarantine flag. > > Yes, looking at our last tagged release build, the notarization step > took 3 minutes 58 seconds.That's a doubling of our normal build time > though, which is why we're hesitant to do it on every commit. That, > and also I guess Apple don't really want people doing this anyway. > > Our testers normally pull the build artifacts using their web browser, > so the downloaded .dmg will be quarantined. We could tell them to curl > it of course, but we'd like to keep it as simple as possible for them > to test a feature/bugfix in progress, and asking them to use a > dedicated download tool goes against that. > > Scripting the notarization wasn't the painful thing. I made a quick > Python script that does it, and it has worked fine since then. What
This is the snippet, in case someone else finds it useful (note that the --primary-bundle-id flag to altool is hard-coded in the script, so you'll want to edit that): #!/usr/bin/env python3 # # Notarize a file # # Usage: notarize-macos.py <Apple ID username> <Apple ID password> <file> # from argparse import ArgumentParser from subprocess import check_output from plistlib import loads from time import sleep def main(): parser = ArgumentParser() parser.add_argument('username', help='Apple ID user') parser.add_argument('password', help='Apple ID password') parser.add_argument('path', help='File to be notarized (e.g. .dmg)') args = parser.parse_args() print('requesting notarization of {}...'.format(args.path)) request_uuid = loads(check_output([ 'xcrun', 'altool', '--notarize-app', '--primary-bundle-id', 'com.yourdomain.yourapp.dmg', '--username', args.username, '--password', args.password, '--file', args.path, '--output-format', 'xml' ]))['notarization-upload']['RequestUUID'] for i in range(200): response = loads(check_output([ 'xcrun', 'altool', '--notarization-info', request_uuid, '--username', args.username, '--password', args.password, '--output-format', 'xml' ])) if response['notarization-info']['Status'] == 'success': print('notarization succeeded, see {}'.format(response['notarization-info']['LogFileURL'])) print('stapling notarization to {}'.format(args.path)) print(check_output(['xcrun', 'stapler', 'staple', args.path]).decode('utf-8')) return if response['notarization-info']['Status'] == 'invalid': raise RuntimeError('notarization failed, response was\n{}'.format(response)) sleep(3) raise RuntimeError('notarization timed out, last response was\n{}'.format(response)) if __name__ == '__main__': main() > bothers me is if it will make it harder for our testers. I wish Apple > could state clearly whether the user will be allowed to override this > check (à la Ctrl-click -> Open instead of doubleclicking, which you > can use to bypass certificate verification). > > Elvis > > > > > Of course, it is possible that in the future the quarantine flag will not > > control whether the notarization check happens, so what I said in the > > paragraph above may change. > > > > Adam > > > > _______________________________________________ > > Interest mailing list > > Interest@qt-project.org > > https://lists.qt-project.org/listinfo/interest _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest