-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create signed/notarized macOS binary (was: "Compiled asset at GH release loses execute permissions") #17
Comments
@w00lf apparently there is the way to do so: https://forums.developer.apple.com/thread/120989 But it's kind of complicated, and I wonder if it's easier to just distribute the packed-mn via Homebrew https://github.com/metanorma/homebrew-metanorma. (and we can make it an option to install the single binary vs the development chain). Thoughts @opoudjis @CAMOBAP795 ? |
We might be able to use https://www.electron.build to sign the executable within a DMG, done just like in: So it should be possible. |
Seems like we need to first package the binary in a DMG or PKG format from the Apple Community post above. Here's some command line guidance for creating a DMG file: And we can also use this to create a PKG installer: Then we can sign + notarize the DMG / PKG using the electron builder command |
For the record, this is what we need to do on the "executable" itself: From https://forums.developer.apple.com/thread/120989
(The last step would be for Electron Builder) |
This is done in metanorma/homebrew-metanorma#53. The original issue on DMG building still applies. |
@ronaldtse to be on the same page we still plan to pack DMG or PKG for packed-mn. If so do we have a plan to distribute it via AppStore or somehow else? |
Yes we should go the way of PKG or DMG. We will need to sign the DMG/PKG, which is doable. The problem is that this is a command line tool, which is a bit strange for a package, but I guess it’s something that we need to do. |
PKG can be simply created by To get this sign identity we need to register in Apple developer program https://developer.apple.com/enroll To generate DMG we also need to be members of Apple developer program FYI @ronaldtse |
@CAMOBAP sorry I missed this. We are a member of the program. A signed binary requires Apple notarisation. This thread gives a good example of what needs to be done: https://developer.apple.com/forums/thread/130379 Contents re-formatted below.
You can incorporate all of that into your build process if you want. It is very easy. Back when Catalina disabled 32-bit apps, a few people freaked out over ghostscript. Apparently nobody had bothered to rebuild that since 32-bit days. I built and notarized a 64-bit version in a few minutes. The hardest part was fixing the bugs in ghostscript iteslf so it would build on a modern machine. Sign executables: codesign --timestamp --options=runtime -s "Developer ID Application: ***" -v bin/gs
codesign --timestamp --options=runtime -s "Developer ID Application: ***" -v bin/pdftoraster
codesign --timestamp --options=runtime -s "Developer ID Application: ***" -v cups/pstoraster
codesign --timestamp --options=runtime -s "Developer ID Application: ***" -v cups/pstopxl I assume you will have to sign dylibs too. If your software is doing anything funky, you may need additional hardened runtime entitlements. I was building this from source. So I signed the working copy and then installed. sudo make install Now, I needed to create a temp install for the installer package. Your files will, of couse, be different. sudo mkdir /tmp/ghostscript
ditto /usr/local/bin /tmp/ghostscript/usr/local/bin
ditto /usr/local/share /tmp/ghostscript/usr/local/share
ditto /usr/libexec/cups/filter/pdftoraster /tmp/ghostscript/usr/libexec/cups/filter/
ditto /usr/libexec/cups/filter/pstoraster /tmp/ghostscript/usr/libexec/cups/filter/
ditto /usr/libexec/cups/filter/pstopxl /tmp/ghostscript/usr/libexec/cups/filter/
ditto /private/etc/cups/pdftoraster.convs /tmp/ghostscript/private/etc/cups/
ditto /private/etc/cups/pstoraster.convs /tmp/ghostscript/private/etc/cups/ Now create the installer.
Notarize the installer.
Wait for the e-mail or ping the server if you are impatient. An automated system would need to do something clever here. The
Once you are notarized, staple the ticket.
|
Currently, our github action build creates a new release with compiled binary asset attachment, however, such upload is lacking execute permissions so it need to be packed to execute container - dmg
The text was updated successfully, but these errors were encountered: