jamulus icon indicating copy to clipboard operation
jamulus copied to clipboard
verified publisher icon jamulussoftware

Automate signed pkg build for macOS App Store submission

Open danryu opened this issue 3 years ago • 38 comments

This PR adds automation to create a signed pkg (installer) file for direct submission to the macOS App Store.

CHANGELOG: adds macOS signed pkg build automation

Context: automates building of signed pkg file for macOS App Store

Does this change need documentation? What needs to be documented and how?

Required:

  1. In Apple Developer Account, create the following resources in in https://developer.apple.com/account/resources/certificates/list

  • Certificates:

    • Mac Installer Distribution
    • Mac App Distribution

  • Identifier:

    • app ID (bundleID)
  1. Add the certs to Github Secrets as per https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development

Status of this Pull Request

What is missing until this pull request can be merged?

Checklist

  • [x] I've verified that this Pull Request follows the general code principles
  • [x] I tested my code and it does what I want
  • [ ] My code follows the style guide
  • [ ] I waited some time after this Pull Request was opened and all GitHub checks completed without errors.
  • [ ] I've filled all the content above

danryu avatar May 09 '22 17:05 danryu

@emlynmac @ann0see I've updated to reflect your comments. Let me know what you think of the cert naming so far. Now doing some testing and looking at validate+upload with altool.

danryu avatar May 10 '22 09:05 danryu

Good to hear! @emlynmac Should test it on his repo

ann0see avatar May 15 '22 06:05 ann0see

Good to hear! @emlynmac Should test it on his repo

Yes sure, and from the build checks above it looks like it works transparently when signing deps are not satisfied.

As I noted in the iOS PR #2625 the build now attempts to validate and upload to App Store using altool - and may fail when eg re-attempting the same version upload.

danryu avatar May 16 '22 07:05 danryu

@emlynmac any news?

ann0see avatar Jun 08 '22 17:06 ann0see

Updated with the necessary logic to validate and upload the signed macOS "pkg" installer to the Mac App Store when the necessary conditions are met (I thought I had already done this!)

danryu avatar Nov 06 '22 07:11 danryu

Probably it's close to get in. It of course raises the questions when/if we deploy a cert in our repo.

The cert stuff is obviously most easily handled by whoever already has the App Store Connect account for Jamulus. I don't think the certs are any more sensitive than the existing auth details you are already using for dmg file Notarization (appstore-connect-username,appstore-connect-password ).

danryu avatar Nov 07 '22 07:11 danryu

Fair point. Emlyn owns the cert for now and not many people have push access to his repo.

ann0see avatar Nov 07 '22 10:11 ann0see

When/if he gets round to it Emlyn will have to create the 2 new certificates and follow the guides as mentioned in the description. Apple doesn't make this easy enough IMO - too much downloading certificates, importing to keychain manager, exporting as p12 then base64 encoding - for each cert. It's a pain.

danryu avatar Nov 07 '22 10:11 danryu

@danryu could you please rebase this PR?

I think fixing the app store alongside signing isn't an unsolvable issue (check if app store cert is present --> if not skip modifications)

ann0see avatar May 03 '23 21:05 ann0see

@ann0see Yes, can do. I'll need a few days at least to review things.

danryu avatar May 04 '23 11:05 danryu

@danryu any updates?

ann0see avatar Jul 01 '23 20:07 ann0see

@danryu any updates?

Sorry, hit a very busy period. I managed to take a look today but the rebase appeared problematic, so I've gone with a merge - hope that's ok. Looks like there might be some style check failures still, at least.

danryu avatar Jul 02 '23 16:07 danryu

Ok. Thanks.

Merging makes it a lot more difficult to get right later - but I hope we can figure it out. Fixing the styling should be possible

ann0see avatar Jul 02 '23 19:07 ann0see

Coding style checks now fixed

danryu avatar Aug 05 '23 19:08 danryu

Great! Thanks. Maybe this gets ready for 3.11.0 (next release, not this one)

ann0see avatar Aug 05 '23 20:08 ann0see

@pljones Should this be assigned to me currently? It needs another review...

danryu avatar Aug 21 '23 14:08 danryu

Just as quick unrelated comment: The notarization/part of signing action seems to be no longer available.

ann0see avatar Aug 21 '23 16:08 ann0see

@pljones Should this be assigned to me currently? It needs another review...

The "Reviewers" listed should be reviewing. If they raise any comments, it's still with you to take it forwards.

pljones avatar Aug 22 '23 16:08 pljones

@danryu I believe the comment by emlynmac is still outstanding

https://github.com/jamulussoftware/jamulus/pull/2624#pullrequestreview-966807026

ann0see avatar Aug 22 '23 18:08 ann0see

@danryu I believe the comment by emlynmac is still outstanding

#2624 (review)

Addressed in May '22 https://github.com/jamulussoftware/jamulus/pull/2624#issuecomment-1122177304

danryu avatar Aug 23 '23 06:08 danryu

@pljones Should this be assigned to me currently? It needs another review...

The "Reviewers" listed should be reviewing. If they raise any comments, it's still with you to take it forwards.

Yup, I know how it works. Hence why I asked why it's assigned to me, as I've taken it forwards on each comment raised ...

danryu avatar Aug 23 '23 06:08 danryu

Uh sorry. Probably it needs testing on a repo with a cert then.

ann0see avatar Aug 23 '23 07:08 ann0see

@danryu do you have signing set up in your repo? Maybe you can test it yourself? Edit: Please note that in the meantime the notarization action has been updated and you need to supply a team ID.

https://github.com/lando/notarize-action

ann0see avatar Aug 25 '23 18:08 ann0see

I'll close this PR if it doesn't get any progress in the next month. The build is broken.

pljones avatar Feb 21 '24 10:02 pljones

I'll close this PR if it doesn't get any progress in the next month.

That would be a shame. This code has been working for nearly 2 years now. Re: testing, I have been running this code continually for the Koord app.

The build is broken.

That has nothing to do with this PR.

danryu avatar Mar 18 '24 11:03 danryu

The question is: is it mergable?

ann0see avatar Mar 18 '24 12:03 ann0see

The question is: is it mergable?

With a little effort due to the inevitable drift, yes. There's the question of the additional certificate(s) and who is maintaining those: I can assess shortly whether I can help with the certificate generation, but will need a couple of weeks to clear the decks first.

danryu avatar Mar 18 '24 14:03 danryu

Yeah. We have lost signing a while ago, so it would be great if you handle that.

ann0see avatar Mar 19 '24 14:03 ann0see

Concerning notarization: can we switch to a local notarization and get rid of the action we use currently? Probably yes, I suppose. I'd like to get rid of the external notarization as it opens another potential source we cannot control.

ann0see avatar Apr 03 '24 21:04 ann0see

Notarization can be done with Xcode on macOS, but it still requires having a paid Apple Developer account and contacting Apple servers for the actual notarization process. There would be no gain in removing the CI for notarization.

To be clear, this PR was created to automate the process not just of notarizing the macOS Jamulus package (which was already implemented) but of completing the whole process necessary to submit the package to the macOS App Store. This process is somewhat more involved.

Regarding the current state of the Jamulus macOS build (and the lack of notarization support), that is a separate issue and should probably not be tracked in this thread. PS What happened to the previous macOS maintainer (who clearly had a paid macOS developer account)?

danryu avatar Apr 04 '24 08:04 danryu