-
-
Notifications
You must be signed in to change notification settings - Fork 593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: progress on codesigning macOS builds #620
Conversation
Fix travis warnings, cleanup is now disabled by default. Rename some keys which travis was aliasing anyway Fixes for macOS signing Add osx signing keys in before_install step try fixing macos-signing script and makefile command. Add warning for running it locally Move import-macos-cert script to scripts/ci Increase macOS signing tool verbosity
@@ -17,6 +17,9 @@ current_release = subprocess.run( | |||
).stdout.strip() | |||
print("bundling activitywatch version " + current_release) | |||
|
|||
entitlements_file = Path(".") / "scripts" / "package" / "entitlements.plist" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using .
here is probably bad.
This as at the point where we should really give it some keys to try using in CI. Builds might still not work, but CI failing due to missing keys needs to be resolved sooner or later anyway. |
I managed to get it to build but notarization will not succeed (neither on the app or the dmg).
https://wiki.freepascal.org/Hardened_runtime_for_macOS#Verifying_hardening |
@kewde Thanks for the reply, noting the same issue. In the CI logs I see a couple lines of I also found pyinstaller/pyinstaller#4701 which suggests you can turn on hardened runtime at |
@ErikBjare Investigating this. It shouldn't be adhoc signing, instead it should be signing using the certificate as specified identifier. |
Might be due to the certificate not being available when PyInstaller does its thing (if that is the case, would be nice if it threw an error instead). So I guess we need to retrieve the cert somehow, I assume you can't do that with just Also found this, which seems pretty comprehensive: https://stackoverflow.com/questions/64652704/how-to-notarize-an-macos-command-line-tool-created-outside-of-xcode |
The certificate is available on my machine, so it should work. This is something else, will comment once I know. |
@ErikBjare I used the original
|
Thanks for all the help on this @kewde. I don't have access to a macOS box today, but will investigate further tomorrow or friday. |
@ErikBjare codesigning & notarization works, will PR 🎉 PyInstaller codesigning command line is rather buggy: the Notarization output
|
@ErikBjare it seems like the CI is not importing the certificate into the keychain, fixed in #703. Please note: for notarization you must use a developer id (used for distribution), not a development id. |
Seems like signing & notarization works now, nice! Still can't get the app to open when I double-click in Finder, but works with That can wait for another PR though. |
Merging this, fixing the double-click in Finder will have to wait for another PR... |
Huge thanks @kewde for helping with getting this done! |
@ErikBjare re: double clicking Finder We should check out the ^It's not the solution but seems like it might be a bit funky |
@kewde Unfortunately it does not seem to be that simple. Pretty sure that the cause/fix is pyinstaller/pyinstaller#5109 (comment). I worked briefly on a minimum viable reproducible example yesterday, and managed to use macOS |
Progress on code signing, building on lessons learned in #344.
Co-authored-by: @xylix
What works
.app
, which passesxcnotary precheck
and doesn't return 'adhoc' when checked withcodesign -cv ActivityWatch.app
.Issues
.app
, might be due to fix: fixed module paths on macOS aw-qt#76Accessibility perms don't seem to work anymore? Always getting 'unknown' events.codesign -f -s $SIGNER --entitlement entitlement.plist ActivityWatch.app/Contents/MacOS/aw-watcher-window
to aw-qt and aw-watcher-window after the build is done seems to work, at least for the 'applescript' strategy.Should use https://github.com/FiloSottile/age to securely deliver the key (instead of the complicated openssl command used in Work on CI code signing macOS .app #344)Related PRs
NSAppleEventsUsageDescription
#699Bounty recipients
NSAppleEventsUsageDescription
#699, and is eligible for a part of the bountyResources