Learn more about these different git repos.
Other Git URLs
Describe the issue We need to notarize official FMW builds for MacOS, otherwise users will keep getting warnings about potentionally malicious application when opening FMW (even when downloaded from https://getfedora.org).
When do you need this? (YYYY/MM/DD) ASAP
If we cannot complete your request, what is the impact? Users not using FMW. Not everyone know they have to allow it in the settings or they may not trust our builds at all.
CC: @kevin
Metadata Update from @mohanboddu: - Issue assigned to kevin - Issue tagged with: medium-gain, medium-trouble, ops
I'm deeply sorry how long this has lingered. Its on my list and keeps getting almost to the top and then new fires arrive. :(
Luckily we are back in freeze now and it's near the top of my list, so I really hope I can deal with it this week.
So, I got the releng mac mini all updated and I got myself signed up to the Red Hat apple developer account and I got a new cert, but I'm hitting some problems building:
First, it looks like it should be running a bunch of things with src/app/... instead of just app/ ?
=== Checking unresolved library deps === + for binary in '"helper"' '"Fedora Media Writer"' + otool -L 'app/Fedora Media Writer.app/Contents/MacOS/helper' + grep -E '^\s' + sed -e 's/[[:space:]]\([^[:space:]]*\).*/\1/' ++ basename helper + read library + grep -Ev 'AppKit|Metal|Foundation|OpenGL|AGL|DiskArbitration|IOKit|libc\+\+|libobjc|libSystem|@rpath|helper' error: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool-classic: can't open file: app/Fedora Media Writer.app/Contents/MacOS/helper (No such file or directory) + for binary in '"helper"' '"Fedora Media Writer"' + otool -L 'app/Fedora Media Writer.app/Contents/MacOS/Fedora Media Writer' + grep -E '^\s' + sed -e 's/[[:space:]]\([^[:space:]]*\).*/\1/' + read library ++ basename Fedora Media Writer + grep -Ev 'AppKit|Metal|Foundation|OpenGL|AGL|DiskArbitration|IOKit|libc\+\+|libobjc|libSystem|@rpath|Fedora Media Writer' error: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool-classic: can't open file: app/Fedora Media Writer.app/Contents/MacOS/Fedora Media Writer (No such file or directory) + popd + sign + pushd build + echo '=== Signing the package ===' === Signing the package === + find 'app/Fedora Media Writer.app' -name '*framework' + read framework find: app/Fedora Media Writer.app: No such file or directory + find 'app/Fedora Media Writer.app' -name '*adwaita*' + read framework find: app/Fedora Media Writer.app: No such file or directory + codesign -s B3F8F07B6C1753C4A0A270148D4F9DA77693F9D4 --deep -v -f 'app/Fedora Media Writer.app/Contents/MacOS/Fedora Media Writer' -o runtime app/Fedora Media Writer.app/Contents/MacOS/Fedora Media Writer: No such file or directory
Fixing that and I hit that the lzma library isn't in /usr/lib/ here, it's in /usr/local/lib/ ?
=== Checking unresolved library deps === + for binary in '"helper"' '"Fedora Media Writer"' + otool -L 'src/app/Fedora Media Writer.app/Contents/MacOS/helper' + grep -E '^\s' + sed -e 's/[[:space:]]\([^[:space:]]*\).*/\1/' ++ basename helper + read library + grep -Ev 'AppKit|Metal|Foundation|OpenGL|AGL|DiskArbitration|IOKit|libc\+\+|libobjc|libSystem|@rpath|helper' + [[ ! @loader_path/../Frameworks/QtDBus.framework/Versions/5/QtDBus == @loader_path/* ]] + read library + [[ ! /usr/lib/liblzma.5.dylib == @loader_path/* ]] ++ basename /usr/lib/liblzma.5.dylib + echo 'Copying liblzma.5.dylib' Copying liblzma.5.dylib + cp /usr/lib/liblzma.5.dylib 'src/app/Fedora Media Writer.app/Contents/Frameworks' cp: /usr/lib/liblzma.5.dylib: No such file or directory
Is that a consequence of too new macos? What version are you building with there?
Happy to debug this here, via email, or we could setup a meeting time and try and get it going...
I think on newer MacOS (I had this issue too) you have to search for the library in /usr/local/lib instead. I will have to update the script to probably check both locations.
@kevin any luck with that after changing the library location to /usr/local/lib?
Sadly, this fell off my radar. ;( I'll try and get back to it this next week... sorry about that.
Hello. Me again... months later. ;(
I'm finally swaping through my backlog and got here.
Anything new I should know before poking at it again and trying the seperate location?
I saw there was a new version recently, but it didn't make mention of macos, is there still going to be macos support?
Anyhow, I'll see if I can get anywhere on it now.
Hello. Me again... months later. ;( I'm finally swaping through my backlog and got here. Anything new I should know before poking at it again and trying the seperate location? I saw there was a new version recently, but it didn't make mention of macos, is there still going to be macos support?
There is a new version in progress, but it's just a different UI using newer version of Qt, but we will be using the same build script so nothing should change here.
Thank you for looking into this.
ok. Here's where I got to last week.
I had to change references to add a src/ in front of "app/Fedora Media Writer.app" and change the library copy to /usr/local/
diff --git a/dist/mac/build.sh b/dist/mac/build.sh index 26ec0de..b2a0353 100755 --- a/dist/mac/build.sh +++ b/dist/mac/build.sh @@ -5,11 +5,11 @@ set -e PATH="/usr/local/opt/qt@5/bin:/usr/local/opt/git/bin:/usr/local/bin:$PATH" -DEVELOPER_ID="Developer ID Application: Martin Briza (Z52EFCPL6D)" +DEVELOPER_ID="B3F8F07B6C1753C4A0A270148D4F9DA77693F9D4" QT_ROOT="/usr/local/opt/qt" QMAKE="${QT_ROOT}/bin/qmake" MACDEPLOYQT="${QT_ROOT}/bin/macdeployqt" -NOTARIZATION_EMAIL="" +NOTARIZATION_EMAIL="kfenzi@redhat.com" NOTARIZATION_KEYCHAIN_ITEM="XCODE_NOTARY" NOTARIZATION_ITUNES_ORGID="" @@ -62,14 +62,14 @@ function deps() { # Look at the binaries and search for dynamic library dependencies that are not included on every system # So far, this finds only liblzma but in the future it may be necessary for more libs for binary in "helper" "Fedora Media Writer"; do - otool -L "app/Fedora Media Writer.app/Contents/MacOS/$binary" |\ + otool -L "src/app/Fedora Media Writer.app/Contents/MacOS/$binary" |\ grep -E "^\s" | grep -Ev "AppKit|Metal|Foundation|OpenGL|AGL|DiskArbitration|IOKit|libc\+\+|libobjc|libSystem|@rpath|$(basename $binary)" |\ sed -e 's/[[:space:]]\([^[:space:]]*\).*/\1/' |\ while read library; do if [[ ! $library == @loader_path/* ]]; then echo "Copying $(basename $library)" - cp $library "app/Fedora Media Writer.app/Contents/Frameworks" - install_name_tool -change "$library" "@executable_path/../Frameworks/$(basename ${library})" "app/Fedora Media Writer.app/Contents/MacOS/$binary" + cp /usr/local/lib/$(basename $library) "src/app/Fedora Media Writer.app/Contents/Frameworks" + install_name_tool -change "$library" "@executable_path/../Frameworks/$(basename ${library})" "src/app/Fedora Media Writer.app/Contents/MacOS/$binary" fi done done @@ -80,16 +80,16 @@ function sign() { pushd build >/dev/null echo "=== Signing the package ===" # sign all frameworks and then the package - find app/Fedora\ Media\ Writer.app -name "*framework" | while read framework; do + find src/app/Fedora\ Media\ Writer.app -name "*framework" | while read framework; do codesign -s "$DEVELOPER_ID" --deep -v -f "$framework/Versions/Current/" -o runtime done - find app/Fedora\ Media\ Writer.app -name "*adwaita*" | while read framework; do + find src/app/Fedora\ Media\ Writer.app -name "*adwaita*" | while read framework; do codesign -s "$DEVELOPER_ID" --deep -v -f "$framework" -o runtime done - codesign -s "$DEVELOPER_ID" --deep -v -f app/Fedora\ Media\ Writer.app/Contents/MacOS/Fedora\ Media\ Writer -o runtime - codesign -s "$DEVELOPER_ID" --deep -v -f app/Fedora\ Media\ Writer.app/Contents/MacOS/helper -o runtime - codesign -s "$DEVELOPER_ID" --deep -v -f app/Fedora\ Media\ Writer.app/ -o runtime + codesign -s "$DEVELOPER_ID" --deep -v -f src/app/Fedora\ Media\ Writer.app/Contents/MacOS/Fedora\ Media\ Writer -o runtime + codesign -s "$DEVELOPER_ID" --deep -v -f src/app/Fedora\ Media\ Writer.app/Contents/MacOS/helper -o runtime + codesign -s "$DEVELOPER_ID" --deep -v -f src/app/Fedora\ Media\ Writer.app/ -o runtime popd >/dev/null } @@ -98,7 +98,7 @@ function dmg() { echo "=== Creating a disk image ===" # create the .dmg package - beware, it won't work while FMW is running (blocks partition mounting) rm -f "../FedoraMediaWriter-osx-$VERSION.dmg" - hdiutil create -srcfolder app/Fedora\ Media\ Writer.app -format UDCO -imagekey zlib-level=9 -scrub -volname FedoraMediaWriter-osx ../FedoraMediaWriter-osx-$VERSION.unnotarized.dmg + hdiutil create -srcfolder src/app/Fedora\ Media\ Writer.app -format UDCO -imagekey zlib-level=9 -scrub -volname FedoraMediaWriter-osx ../FedoraMediaWriter-osx-$VERSION.unnotarized.dmg popd >/dev/null } @@ -107,7 +107,7 @@ function notarize() { xcrun altool --notarize-app --primary-bundle-id "org.fedoraproject.mediawriter" --username "${NOTARIZATION_EMAIL}" --password "@keychain:${NOTARIZATION_KEYCHAIN_ITEM}" --asc-provider "${NOTARIZATION_ITUNES_ORGID}" --file "../FedoraMediaWriter-osx-$VERSION.unnotarized.dmg" echo "DONE. After notarization finished (you'll get an email), run:" - echo "$ xcrun stabler stable app/Fedora\ Media\ Writer.app" + echo "$ xcrun stabler stable src/app/Fedora\ Media\ Writer.app" echo "$ hdiutil create -srcfolder app/Fedora\ Media\ Writer.app -format UDCO -imagekey zlib-level=9 -scrub -volname FedoraMediaWriter-osx ../FedoraMediaWriter-osx-$VERSION.dmg" }
Woah, I managed to get it to upload:
No errors uploading 'FedoraMediaWriter-osx-4.2.1-231-g6fd6e58.unnotarized.dmg'. RequestUUID = e22b112d-f70d-4a5c-88d8-b3ab370e37a7
Will see if it accepts it.
It didn't accept it. It wasn't signed right. :(
Will try and figure out whats wrong with my new certs...
We already fixed the build script adding "src/" to the path for the upcoming FMW version. Did you get more detailed information why it wasn't signed right? Maybe something is just missing to be signed (liblzma)? Looking at the script not all frameworks will have "$framework/Versions/current" so maybe do also something like this:
find src/app/Fedora\ Media\ Writer.app -name "*.dylib" | while read library; do codesign -s "$DEVELOPER_ID" --deep -v -f "$library" -o runtime done
I think this will be needed anyway because as I can see with the upcoming FMW (written in Qt6), some libs are just copied into the Frameworks directory, while for example with Qt frameworks you can see each of them has QtModule.Framework directory where you find "Versions/current/".
I unfortunately haven't tried signing myself, I was just left with the script from the previous FMW maintainer. I also found a post here https://stackoverflow.com/questions/62052475/how-properly-add-macos-signature-notarization-to-app-built-with-qt. He doesn't run codesing for every single file, he just does it for the whole directory and apparently it works. You can verified whether a certain file or the app was signed with codesign -dv --verbose=4 $name.
codesign -dv --verbose=4 $name
The signing problem seems to be that it can't find my new cert. ;( I'll try getting a new one and make sure I follow their docs on setting it up. ;(
I finally have this working. :)
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.