Release Engineering

Christian Lohmaier wrote:

Steps to grant TDF signing certificate:

1. create apple-id account (Xisco)

Done. it's the same as my libreoffice email account

I'm trying to create a certification as an 'Developer ID application' but it fails with this error: Permissions failure: Your account does not have permission to create Developer ID Application certificates.
I'll send a certificate signing request as described here: https://stackoverflow.com/questions/40670557/your-account-does-not-have-permission-to-create-ios-distribution-certificates/40670695#40670695

No progress since last time. I had problem uploading to Catalina so I have to reinstall everything from scratch. I still need to get back to it

Christian Lohmaier wrote:

We should definitely deal with that..
Steps are as laid out in the first message - create apple-ID, then I can send you an invite to the TDF develoment team. I double-checked and that is covered. you also have role "Developer"
https://developer.apple.com/support/roles/
→ but your account did not have "Access to Certificates, Identifiers & Profiles" that they introduced at some point…

Fixed that now, so you should be able to try again. (and you probably should also update your user profile you're "Sdfasdf Fauli" currently....

Certificate created.
Christian Lohmaier, do you have to approve it ?

You created the wrong type of certificate - you created a Development Certificate (one that doesn't need to be explicitly approved by the TDF account), not one that's used for production/distribution.

You need to create one of type "Developer ID Application" (that is the type used for stuff that is not distributed in appstore and is not an installer package)
https://help.apple.com/xcode/mac/current/#/dev154b28f09 → category macOS distribution → type Developer ID Application

as for notarization:
submitting stuff to apple's notarization servers uses your apple-account to authenticate the request, and for that tool you created dedicated login credentials (as appleid otherwise mandates two-factor auth, the app-specific passwords are the only supported way)
https://appleid.apple.com/account/manage → in Security section: App-specific passwords → Generate password

That password can be stored in the keychain, so you don't have to enter it in plaintext on the commandline but instead can reference it with @keychain:LABEL_FOR_PASSWORDENTRY

see also https://support.apple.com/en-us/HT204397 & https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow

Information about notarization

1. Move all the dmg files into a single directory for processing.
   

   mv $(find workdir/installation/ -type f -name \*dmg) ~/installsets/
   

2. Notarize
   

   for file in *.dmg; do xcrun altool --notarize-app --primary-bundle-id "org.libreoffice.7003$(echo $file | awk -F_ '/langpack/{sub(/.dmg/,""); print "."$6} /sdk/{print ".sdk"}').dmg" --username "<your-apple-id@email>" --password "@keychain:NOTARIZE_APP" --file $file; done 2>&1 |tee -a ~/7003_notarize.log
   

   
   -> The title of the mail will be "Your Mac software was not notarized." or "Your Mac software was successfully notarized."
   NOTE: Recent failures were because apple's servers were not available/responding in a way the altool expected, so those already were local failures (that's where keeping local log comes into play)
3. After you get emails for all the files, staple the result to the dmg (so notarization works offline, if not stapled onto the file it requires internet access to query apple's server for the notarization result)
   

   for file in *.dmg; do xcrun stapler staple $file; done 2>&1 |tee -a staple.log