Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign Mac OS Installer packages #9139

Open
andyfeller opened this issue May 29, 2024 · 12 comments
Open

Sign Mac OS Installer packages #9139

andyfeller opened this issue May 29, 2024 · 12 comments
Labels
core This issue is not accepting PRs from outside contributors enhancement a request to improve CLI packaging tech-debt A chore that addresses technical debt

Comments

@andyfeller
Copy link
Contributor

Describe the feature or problem you’d like to solve

Mac OS Installer package support added in #7554 should sign .pkg with an appropriate Developer ID Installer-signing identity.

Additional context

The existing GitHub CLI deployment workflow only has access to Developer ID Application certificate, which cannot be reused in for Installer packages.
@andyfeller andyfeller added enhancement a request to improve CLI packaging tech-debt A chore that addresses technical debt labels May 29, 2024
@cliAutomation cliAutomation added the needs-triage needs to be reviewed label May 29, 2024
andyfeller added a commit that referenced this issue May 29, 2024
@andyfeller
Clarify Mac OS Installer packages are unsigned
2bb9900 
Relates #9139

This commit clarifies Mac OS Installer packages are unsigned due to additional work to obtain an Apple Developer ID Installer-signing identity.
@andyfeller andyfeller mentioned this issue May 29, 2024
Merged
@JouniJouni93

This comment was marked as spam.

Sign in to view
@williammartin
Copy link
Member

As I was reading https://lokal.so/blog/guide-to-sign-and-notarize-your-go-app-for-outside-mac-app-store-distribution I noticed that they notarize the installer .pkg. We currently notarize the contents, and hadn't considered notarizing the .pkg itself. Not sure what's necessary here but wanted to call it out.

There's also some stapling step which I've never seen before.

@williammartin williammartin added core This issue is not accepting PRs from outside contributors and removed needs-triage needs to be reviewed labels Jun 24, 2024
@Infinnet

This comment has been minimized.

Sign in to view
@sherwyn29

This comment was marked as spam.

Sign in to view
@sherwyn29

This comment was marked as spam.

Sign in to view
@andyfeller
Copy link
Contributor Author

andyfeller commented Aug 12, 2024
edited
Loading

As part of this work, the GitHub CLI website should be updated, directing users to download the Mac universal binary

@jtmcg jtmcg mentioned this issue Aug 12, 2024
Closed
@sdavids
Copy link

sdavids commented Aug 22, 2024

https://developer.apple.com/news/?id=saqachfa

Updates to runtime protection in macOS Sequoia
August 6, 2024

If you distribute software outside of the Mac App Store, we recommend that you submit your software to be notarized.

@andyfeller andyfeller mentioned this issue Aug 22, 2024
Open
@Clainetbif

This comment has been minimized.

Sign in to view
@Biggmar88

This comment was marked as spam.

Sign in to view
@steven-joruk-sp
Copy link

There's also some stapling step which I've never seen before.

Stapling is worthwhile, it attaches the notarization receipt to the package so that it's available even during offline validation.

There's no need to notarize a package's contents separately, it can all be done in one pass (see here).

You can authenticate to the notarization service either using an API key or an app-specific password. You can create an app-specific password through the Apple ID settings page for the account used to submit the notarization (docs).

Here's an example using an app-specific password:

productsign \
    --sign "$DEVELOPER_ID_INSTALLER_CERTIFICATE" \
    unsigned.pkg \
    stapled.pkg

xcrun notarytool submit \
    --wait \
    --apple-id $APPLE_ID \
    --team-id $TEAM_ID \
    --password $APP_SPECIFIC_PASSWORD \
    stapled.pkg

xcrun stapler staple stapled.pkg

@mphetens

This comment was marked as spam.

Sign in to view
@mphetens

This comment was marked as spam.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core This issue is not accepting PRs from outside contributors enhancement a request to improve CLI packaging tech-debt A chore that addresses technical debt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
15 participants
@sdavids @williammartin @andyfeller @cliAutomation @Biggmar88 @JouniJouni93 @steven-joruk-sp @Infinnet @sherwyn29 @mphetens @Clainetbif and others