-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tools: added support for notarytool for osx notarization #48701
Conversation
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
We have a new job in the release CI to test this script: https://ci-release.nodejs.org/job/testing-new-osx-notarization-ojs+release/. Next steps:
Thanks for the great pairing session @mhdawson! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, @UlisesGascon thanks for putting this together
To clarify for readers in terms of
It is really By November 1, 2023 we |
I think that this will make imposible to notarize releases with Based on xcodereleases Important: Node.js should/can be tested in macos 10.15, this only affect the release process |
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: #48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
landed in e97d256 |
Maybe someone with a mac can verify if the https://nodejs.org/download/nightly/v21.0.0-nightly202309295570c29780/node-v21.0.0-nightly202309295570c29780.pkg macOS build was notarized? We didn't get a "Your Mac software was successfully notarized." email from Apple for v21.0.0-nightly202309295570c29780 but maybe that's a change with the use of the new tool? FWIW https://ci-release.nodejs.org/job/iojs+release/9667/nodes=osx11-release-pkg/console succeeded but the parsed 08:08:23 sh tools/osx-notarize.sh v21.0.0-nightly202309295570c29780
08:08:23 objc[10383]: Class AMSupportURLConnectionDelegate is implemented in both /usr/lib/libauthinstall.dylib (0x202f4f490) and /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x10f3942b8). One of the two will be used. Which one is undefined.
08:08:23 objc[10383]: Class AMSupportURLSession is implemented in both /usr/lib/libauthinstall.dylib (0x202f4f4e0) and /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x10f394308). One of the two will be used. Which one is undefined.
08:08:23 Notarization process is done with Notarytool.
08:10:23 Notarization submitted. Operation ID:
08:10:23 ssh node-www "mkdir -p nodejs/nightly/v21.0.0-nightly202309295570c29780" Lines 69 to 83 in 6aa7101
|
I was able to install the sep 29th on my mac without any messages/complaints so looks to me like it worked. Would be good to get other people to install/test as well to be double sure. |
Looks good to me: $ /usr/local/bin/node --version
v21.0.0-nightly202309295570c29780
$ spctl -a -vvv -t install /usr/local/bin/node
/usr/local/bin/node: accepted
source=Notarized Developer ID
origin=Developer ID Application: Node.js Foundation (HX7739G8FX) |
Looks good in terms of nightlies, removed the don't land tags |
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: #48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: nodejs#48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: #48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: nodejs#48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: nodejs/node#48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: nodejs/node#48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Main Changes
gon
to be used only whennotarytool
is not available (Xcode version < 13.0)notarytool
pkg submission by using user, pass, teamId combination.How to test this code?
There is a cloned job in the ci-release named testing-new-osx-notarization-ojs+release where you can build with parameters as always. Please always use
disttype: test
.As an example:
The Build 14 is passing. see. The
pkg
files are working fineThe output from the Jenkins process is the expected:
Notes
In order to properly work is required to include a new environmental variable
NOTARIZATION_TEAM_ID
in the Jenkins job, this data is not sensitive information.I am a bit rusty in bash, so feel free to improve the script. Only the linter steps are relevant in the CI validation for this PR.
This is working with the existing credentials (
NOTARIZATION_PASSWORD
andNOTARIZATION_ID
) so there is no breaking changes in the credentials forgon
Context
TL;DR:
By November 1, 2023, we should be able to use
notarytool
to notarize Node.js. Currently, we usegon
, but there is no support fornotarytool
yet. Additionally, we want to replacegon
asnotarytool
currently provides the option to wait for the notarization to be completed with the argument--wait
.