Project

General

Profile

Actions

Task #2961

closed

Mac signing certificate for standin

Added by Christian Lohmaier over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Team - Q3/2020
Start date:
Due date:
% Done:

0%


Description

Steps to grant TDF signing certificate:
  1. create apple-id account (Xisco)
  2. invite that apple-id to TDF-Account (cloph)
  3. create certificate via XCode (Xisco)
  4. approve request with TDF-Account (cloph)
For notarization:
  1. create app-specific credentials (Xisco)
  2. add app-specific PW to local keychain (Xisco)

ideally should be sorted out Mid-October, in time for 6.4 cycle.

Actions #1

Updated by Florian Effenberger about 5 years ago

  • Due date set to 2019-10-15
Actions #2

Updated by Xisco Fauli Tarazona about 5 years ago

Christian Lohmaier wrote:

Steps to grant TDF signing certificate:
  1. create apple-id account (Xisco)

Done. it's the same as my libreoffice email account

Actions #3

Updated by Xisco Fauli Tarazona about 5 years ago

I'm trying to create a certification as an 'Developer ID application' but it fails with this error: Permissions failure: Your account does not have permission to create Developer ID Application certificates.
I'll send a certificate signing request as described here: https://stackoverflow.com/questions/40670557/your-account-does-not-have-permission-to-create-ios-distribution-certificates/40670695#40670695

Actions #4

Updated by Florian Effenberger about 5 years ago

  • Due date deleted (2019-10-15)

Any progress, are there any blockers? I'd sleep a bit better to know you can also sign the Mac releases :-)

Actions #5

Updated by Florian Effenberger about 5 years ago

  • Subject changed from Mac singing certificate for standin to Mac signing certificate for standin

Any update on this?

Actions #6

Updated by Florian Effenberger almost 5 years ago

  • Target version changed from Q4/2019 to Q1/2020

Xisco, any progress? Anything you need from me for the moment?

Actions #7

Updated by Xisco Fauli Tarazona almost 5 years ago

No progress since last time. I had problem uploading to Catalina so I have to reinstall everything from scratch. I still need to get back to it

Actions #8

Updated by Florian Effenberger over 4 years ago

  • Target version changed from Q1/2020 to Q2/2020

Last status update is three months old - has there been progress in the meantime? Any blockers?

Actions #9

Updated by Christian Lohmaier over 4 years ago

  • Target version changed from Q2/2020 to Q3/2020

We should definitely deal with that..
Steps are as laid out in the first message - create apple-ID, then I can send you an invite to the TDF develoment team. I double-checked and that is covered. you also have role "Developer"
https://developer.apple.com/support/roles/
→ but your account did not have "Access to Certificates, Identifiers & Profiles" that they introduced at some point…

Fixed that now, so you should be able to try again. (and you probably should also update your user profile you're "Sdfasdf Fauli" currently....

Actions #10

Updated by Xisco Fauli Tarazona over 4 years ago

Christian Lohmaier wrote:

We should definitely deal with that..
Steps are as laid out in the first message - create apple-ID, then I can send you an invite to the TDF develoment team. I double-checked and that is covered. you also have role "Developer"
https://developer.apple.com/support/roles/
→ but your account did not have "Access to Certificates, Identifiers & Profiles" that they introduced at some point…

Fixed that now, so you should be able to try again. (and you probably should also update your user profile you're "Sdfasdf Fauli" currently....

Certificate created.
Christian Lohmaier, do you have to approve it ?

Actions #11

Updated by Christian Lohmaier over 4 years ago

You created the wrong type of certificate - you created a Development Certificate (one that doesn't need to be explicitly approved by the TDF account), not one that's used for production/distribution.

You need to create one of type "Developer ID Application" (that is the type used for stuff that is not distributed in appstore and is not an installer package)
https://help.apple.com/xcode/mac/current/#/dev154b28f09 → category macOS distribution → type Developer ID Application

Actions #12

Updated by Christian Lohmaier over 4 years ago

as for notarization:
submitting stuff to apple's notarization servers uses your apple-account to authenticate the request, and for that tool you created dedicated login credentials (as appleid otherwise mandates two-factor auth, the app-specific passwords are the only supported way)
https://appleid.apple.com/account/manage → in Security section: App-specific passwords → Generate password

That password can be stored in the keychain, so you don't have to enter it in plaintext on the commandline but instead can reference it with @keychain:LABEL_FOR_PASSWORDENTRY

see also https://support.apple.com/en-us/HT204397 & https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow

Actions #13

Updated by Xisco Fauli Tarazona over 4 years ago

Information about notarization

  1. Move all the dmg files into a single directory for processing.
    mv $(find workdir/installation/ -type f -name \*dmg) ~/installsets/
    
  2. Notarize
    for file in *.dmg; do xcrun altool --notarize-app --primary-bundle-id "org.libreoffice.7003$(echo $file | awk -F_ '/langpack/{sub(/.dmg/,""); print "."$6} /sdk/{print ".sdk"}').dmg" --username "<your-apple-id@email>" --password "@keychain:NOTARIZE_APP" --file $file; done 2>&1 |tee -a ~/7003_notarize.log
    

    -> The title of the mail will be "Your Mac software was not notarized." or "Your Mac software was successfully notarized."
    NOTE: Recent failures were because apple's servers were not available/responding in a way the altool expected, so those already were local failures (that's where keeping local log comes into play)
  3. After you get emails for all the files, staple the result to the dmg (so notarization works offline, if not stapled onto the file it requires internet access to query apple's server for the notarization result)
    for file in *.dmg; do xcrun stapler staple $file; done 2>&1 |tee -a staple.log
    
Actions #14

Updated by Xisco Fauli Tarazona over 4 years ago

  • Status changed from New to Resolved

Closing this ticket as RESOLVED since I'm able to build LibreOffice with a Developer ID certificate on my local machine. I'm also able to perform the notarization process as described in my previous comment.
Kudos to cloph for supporting me through the process.

Actions #15

Updated by Florian Effenberger over 4 years ago

  • Status changed from Resolved to Closed

Great news! :)

Actions

Also available in: Atom PDF