Den ons 10 juli 2019 kl 21:44 skrev Elvis Stansvik <elvst...@gmail.com>:
>
> Den ons 10 juli 2019 kl 21:20 skrev Adam Light <acli...@gmail.com>:
> >
> >
> >
> > On Wed, Jul 10, 2019 at 2:28 AM Elvis Stansvik <elvst...@gmail.com> wrote:
> >>
> >>
> >> With "work around" do you mean from the user POV (e.g. somehow
> >> disabling Gatekeeper, or Ctrl+Open, or something else) or from a
> >> developer POV (so, having to notarize)?
> >>
> >
> > Instead of repeating myself here, please see my comment at
> > https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111
> > which explains what I mean by "work around". I just added screen shots of
> > the dialogs I mentioned in that comment so it's clear what the user sees.
> >
> >>
> >> I'd like to know if there is some reasonably simple way for users to
> >> get around the requirement. We will not be able to notarize every
> >> build we do, because of the time it takes. But at the same time we,
> >> and our testers, must be able to test random builds from Git (we build
> >> a .dmg for every commit) to try out in-progress features/bug fixes...
> >> So I really hope there will be some way for the user to get around the
> >> notarization requirement.
> >
> >
> > Notarization doesn't take more than a few minutes (in my limited
> > experience) but it's a hassle to script the process. Your build machines
> > and possibly your testers will not need to have a notarized application
> > because, as I understand it, notarization is not required if the
> > application does not have a quarantine flag. If it's been downloaded via a
> > standard web browser, it should have the flag. But if it was built on the
> > machine, or if it was transferred from another machine using something like
> > curl, rsync, etc. then it is unlikely to have the quarantine flag.
>
> Yes, looking at our last tagged release build, the notarization step
> took 3 minutes 58 seconds.That's a doubling of our normal build time
> though, which is why we're hesitant to do it on every commit. That,
> and also I guess Apple don't really want people doing this anyway.
>
> Our testers normally pull the build artifacts using their web browser,
> so the downloaded .dmg will be quarantined. We could tell them to curl
> it of course, but we'd like to keep it as simple as possible for them
> to test a feature/bugfix in progress, and asking them to use a
> dedicated download tool goes against that.
>
> Scripting the notarization wasn't the painful thing. I made a quick
> Python script that does it, and it has worked fine since then. What
This is the snippet, in case someone else finds it useful (note that
the --primary-bundle-id flag to altool is hard-coded in the script, so
you'll want to edit that):
#!/usr/bin/env python3
#
# Notarize a file
#
# Usage: notarize-macos.py <Apple ID username> <Apple ID password> <file>
#
from argparse import ArgumentParser
from subprocess import check_output
from plistlib import loads
from time import sleep
def main():
parser = ArgumentParser()
parser.add_argument('username', help='Apple ID user')
parser.add_argument('password', help='Apple ID password')
parser.add_argument('path', help='File to be notarized (e.g. .dmg)')
args = parser.parse_args()
print('requesting notarization of {}...'.format(args.path))
request_uuid = loads(check_output([
'xcrun',
'altool',
'--notarize-app',
'--primary-bundle-id', 'com.yourdomain.yourapp.dmg',
'--username', args.username,
'--password', args.password,
'--file', args.path,
'--output-format', 'xml'
]))['notarization-upload']['RequestUUID']
for i in range(200):
response = loads(check_output([
'xcrun',
'altool',
'--notarization-info', request_uuid,
'--username', args.username,
'--password', args.password,
'--output-format', 'xml'
]))
if response['notarization-info']['Status'] == 'success':
print('notarization succeeded, see
{}'.format(response['notarization-info']['LogFileURL']))
print('stapling notarization to {}'.format(args.path))
print(check_output(['xcrun', 'stapler', 'staple',
args.path]).decode('utf-8'))
return
if response['notarization-info']['Status'] == 'invalid':
raise RuntimeError('notarization failed, response
was\n{}'.format(response))
sleep(3)
raise RuntimeError('notarization timed out, last response
was\n{}'.format(response))
if __name__ == '__main__':
main()
> bothers me is if it will make it harder for our testers. I wish Apple
> could state clearly whether the user will be allowed to override this
> check (à la Ctrl-click -> Open instead of doubleclicking, which you
> can use to bypass certificate verification).
>
> Elvis
>
> >
> > Of course, it is possible that in the future the quarantine flag will not
> > control whether the notarization check happens, so what I said in the
> > paragraph above may change.
> >
> > Adam
> >
> > _______________________________________________
> > Interest mailing list
> > Interest@qt-project.org
> > https://lists.qt-project.org/listinfo/interest
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
