Skip to content

DevNotes_Processeses_Notarization

Wojciech Potrzebowski edited this page Mar 30, 2020 · 11 revisions

Notarization is an additional security step after code signing. Beginning from OSX 10.15 unnotarized apps are not approved by GateKeeper and users may not be able to open them unless they change they security settings. SasView notarization is currently performed on OSX 10.14 accesible from Jenkins: https://jenkins.esss.dk/sasview-beta/job/SasView-OSX1014-Release/. All the steps besides stapling are performed by jenkins and they involve following:

` cp SasView5.0.app/Contents/MacOS/libz.1.dylib SasView5.0.app/Contents/Frameworks/ install_name_tool -change @rpath/libz.1.dylib @executable_path/../Frameworks/libz.1.dylib SasView5.0.app/Contents/MacOS/sasview

python ../../build_tools/code_sign_osx.py

codesign --verify --entitlements ../../build_tools/entitlements.plist --timestamp --options runtime --deep --verbose=4 --force --sign "Developer ID Application: European Spallation Source Eric (XXXXXXX)" SasView5.0.app

hdiutil create SasView5.dmg -srcfolder SasView5.0.app -ov -format UDZO

codesign -s "Developer ID Application: European Spallation Source Eric (XXXXXX)" SasView5.dmg

xcrun altool --notarize-app --primary-bundle-id "org.sasview.SasView5.0" --username "wxxxxx" --password "xxxxxx" --file SasView5.dmg `

Once all above are done through jenkins you should receive email with the subject: "Your Mac software was successfully notarized".

Then one needs to login to machine and do the final stapling (requires credentials from esss.dk)

xcrun stapler staple "SasView5.dmg"

NOTE: Two packages had to be modified in the yaml file in order to perform notarization, namely clang_osx64 (added) and ligfortran (replaced with one from schrodinger channel).

Clone this wiki locally