osxcross
osxcross copied to clipboard
tpoechtrager
Is it possible to sign and notarize from Linux?
We are building all our software targeting macOS with osxcross in docker containers on linux. However, Apple requires notarization of apps starting with macOS 10.15. I cant figure out whether this is doable with OSXCross or not?
Do I need to get apple hardware to do signing? Do I need to get apple hardware to do notarization?
If osxcross is able to do these things can someone point me in the right direction?
For signing on linux I used this tutorial: https://mackyle.github.io/xar/howtosign.html
- Can you sign an app with osxcross? Currently, no; however, the signing implementation is published on Apple’s website. Unfortunately, the source for the
codesigntool is not included there, so an interested party would have to recreate that first. The Darling project might be a good place to start. - Can you notarize with osxcross? No, and you probably never will be able to.
altooldepends on several frameworks included with Xcode; there is also a sizable Java-based backend with more dependencies.staplerdoes not only depend on Xcode frameworks, it is also a front-end for a CloudKit-based storage system, which AFAICT is not accessible from non-Apple hardware.
You will need both tools in order to sign and notarize. Hope this helps!
Note that the downstream project https://github.com/multiarch/crossbuild does some automation for binary signing. Perhaps we can do something similar as a last step in osxcross.
This GitHub issue is a pretty high search result for "macOS notary linux" -
IMO, the current best Linux-compatible codesigning tool for macOS binaries is this Rust one tugger-apple-codesign from @indygreg:
- https://gregoryszorc.com/blog/2021/04/14/pure-rust-implementation-of-apple-code-signing/
- https://github.com/indygreg/PyOxidizer/tree/main/apple-codesign
- https://crates.io/crates/tugger-apple-codesign
However ever since macOS 10.15, codesigning is not enough by itself, you must also notarize the app, and that isn't available yet:
- https://github.com/indygreg/PyOxidizer/issues/381
As far as i can find in November 2021 there is not yet any Linux-compatible tool for performing the notarization (nor stapling) steps.
Notarization and stapling are theoretically possible to implement.
Stapling is likely easier, as I'm pretty sure it is effectively appending an Apple issued signature to the existing code signature in the binary. I could probably teach my Rust implementation to do this with a few hours of work.
Notarization is a bit trickier because non-Apple implementations may run afoul of service usage agreements you agreed to when you created your Apple Developer ID/account. Fear of Apple throwing down the legal hammer is a large reason I haven't attempted to implement notarization.
I'll also note that for binaries distributed over controlled channels (e.g. inside corporate networks or via sufficiently complex package managers like Homebrew), it is possible to circumvent Apple's notarization requirement by installing custom rules in the macOS assessment database using spctl. I've documented this at https://github.com/indygreg/PyOxidizer/blob/1e6b955d5e9179d1a9b9531c3158d05ba75c0b39/apple-codesign/src/tutorial.rs. This option does lessen security a bit. And if a popular/public project (like Homebrew) decided to start installing custom rules to bypass Apple's notarization requirement, who knows how Apple would react. I'd love to see a large open source project test the waters here...
Any updates on this? Would be really useful for game-ci automating macOS builds of Unity projects under Linux runners.
Version 0.9 of the apple-codesign Rust crate and its rcodesign CLI tool implement notarization and stapling for some file formats. Details in the release notes at https://github.com/indygreg/PyOxidizer/blob/main/apple-codesign/CHANGELOG.rst.
I implemented DMG signing last night but haven't pushed the commits yet.
Please file feature requests and bug reports against https://github.com/indygreg/PyOxidizer.