tauri
tauri copied to clipboard
tauri-apps
(bundler): Switch to notarytool for notarization before Fall 2023
For reference: https://developer.apple.com/videos/play/wwdc2022/10109/
Relevant file: https://github.com/tauri-apps/tauri/blob/dev/tooling/bundler/src/bundle/macos/sign.rs
What's the crossover between bundler and https://github.com/tauri-apps/tauri-action? Do we keep all the core logic in bundler and just treat tauri-action as a way to execute bundler and do any GitHub release magic?
In the context of building+bundling tauri-action doesn't do much more than just invoking npm run tauri build (that's why I want to get rid of it lol)
Talking of getting rid of the whole repo tauri-action in the future you mean? So we leave it as a guide on how to do cross-platform CI/CD and leave to the user to implement? Less for us to maintain and easier to more tightly integrate in Tauri-core so I'm all for that. We do love our side projects 😉
If you have a few files you could reference in bundler then that may be good to throw for a bit more context
Talking of getting rid of the whole repo tauri-action in the future you mean?
Yeah. That's the dream at least, idk if that would work for every tauri specific edge case tho.
Added a relevant code link for this issue to the first comment.
altool is no longer on my computer and doesn't seem to be on my CI either (GH Action). Curious if anyone else has had this problem.
You're the first one to report this but i guess that's enough for us to finally change it, maybe too late for 1.3 but 1.3.1 then hopefully.
@FabianLars do you know if there's anyone that's wanting to champion this one? I'd love to work with them on the docs side to make sure the guide gets updated as well
This is going to be a tricky one because it requires macOS AND a developer account to mess with, right?
as far as i know yes. and i don't wanna spend 100 bucks on that one to be honest :D
I was able to successfully use xcrun notarytool manually at least. The config process is a bit different, albeit simpler.
This is going to be a tricky one because it requires macOS AND a developer account to mess with, right?
Did you not need a developer account before? I can't recall that ever being the case. But yes you definitely need one. I had to use one for notarytool too. We paid the ransom. I'm not 100% sure if you need to run it on macos as well.
I was able to successfully use
xcrun notarytoolmanually at least. The config process is a bit different, albeit simpler.
Do you have any steps/differences you could share? I'm hoping Apple's docs are helpful and correct here but if there's any wisdom/gotcha's to look out for it would be awesome to have
I have an old developer account that's not paid anymore so can be a lab rat to test that if I have something to mess with. If it requires a paid account then I could take that up to see what Working Group can do about it (but would like to confirm before I take that on)
Note all the environment variables were set to codesign the .app here however the last step is the one that failed (notarization). So i set env vars, ran cargo tauri build, then i did the following steps.
For the most part, I followed this doc: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
Step 1, generate an "app password" on the apple developer site.
Step 2, tell notarytool about it:
xcrun notarytool store-credentials "AC_PASSWORD" --apple-id $MY_APPLE_ID --password $THE_APP_PASSWORD
Step 3, build the bundle.
Step 4: use ditto to bundle the .app into a .zip:
ditto -c -k --keepParent modsurfer-web/src-tauri/target/release/bundle/macos/modsurfer.app/ modsurfer-web/src-tauri/target/release/bundle/macos/modsurfer.zip
step 5, submit the app to be notarized:
xcrun notarytool submit modsurfer-web/src-tauri/target/release/bundle/macos/modsurfer.zip --keychain-profile "AC_PASSWORD" --wait
I passed this off to a team mate and he said the app ran for him without complaint.
Happy to help develop / test the new process. We're just gonna do it by hand for the next few weeks due to time constraints.
I can help on that item, don't have a lot of time but we have the full process in place at Caido to sign MacOS application. This is the script we currently use:
#!/usr/bin/env bash
##### Options ####
# CODE_SIGN_ONLY: Add this environment variable in order to prevent notarization
# APP_PATH: Add this environment variable to override the release path
KEYCHAIN_PASS="caidopass"
ZIP_PATH="./caido.zip"
# Install the certificate
echo "[*] Installing certificate"
echo "$APPLE_DEVELOPER_CERTIFICATE_P12_BASE64" | base64 -d > certificate.p12
security create-keychain -p "$KEYCHAIN_PASS" build.keychain
security list-keychains -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASS" build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_DEVELOPER_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASS" build.keychain
# Get Application ID from installed certificate
APPLICATION_ID=$(security find-identity -v build.keychain | grep "Developer ID Application" | cut -d " " -f4)
# Code sign binary
echo "[*] Signing binary"
echo "[-] ApplicationID: $APPLICATION_ID"
/usr/bin/codesign --options runtime --force --timestamp --deep -s "$APPLICATION_ID" "$APP_PATH"
# Package binary into a zip
if [ "$APP_ZIP" == "true" ]; then
echo "[*] Packaging as .zip"
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
UPLOAD_PATH=$ZIP_PATH
else
UPLOAD_PATH=$APP_PATH
fi
# Upload package for notarization
if [ "$CODE_SIGN_ONLY" != "true" ]; then
TEAM_ID=$(security find-identity -v build.keychain | grep "Developer ID Application" | cut -d "(" -f2 | cut -d ")" -f1)
echo "[*] Sending binary to Apple for notarization"
echo "[-] Username: $AC_USERNAME"
echo "[-] TeamID: $TEAM_ID"
xcrun notarytool submit "$UPLOAD_PATH" --apple-id "$AC_USERNAME" --password "$AC_PASSWORD" --team-id "$TEAM_ID"
fi
# Cleanup existing keychain
echo "[*] Deleting build keychain"
security delete-keychain build.keychain
rm -f certificate.p12 caido.zip
Putting some extra notes:
- Apple ID App Password KB Article: https://support.apple.com/en-us/HT204397
- Running
xcrun notarytool store-credentials "AC_PASSWORD" --apple-id $MY_APPLE_ID --password $THE_APP_PASSWORDwill prompt you for your Developer Team ID. This can be found in App Store Connect, click your profile icon and "Edit Profile" and the Team ID is a 10 digit alphanumeric ID on that page. - I did have to renew my Developer Program membership (possibly due to a personal reason of changing legal entities which voided previous agreements I'd accepted, couldn't seem to get past the pay wall)
- Tried to submit a version of a binary created by ditto, but got the following errors that I haven't had a chance to dig into:
"issues": [
{
"severity": "error",
"code": null,
"path": "Reframe.zip/Reframe.app/Contents/MacOS/Reframe",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Reframe.zip/Reframe.app/Contents/MacOS/Reframe",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Reframe.zip/Reframe.app/Contents/MacOS/Reframe",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
"architecture": "arm64"
}
]
Apple started sending emails to me because we're using altool :D let's target this for v1.5 ok?
