Task #2961
closedMac signing certificate for standin
Added by Christian Lohmaier about 5 years ago. Updated over 4 years ago.
0%
Description
- create apple-id account (Xisco)
- invite that apple-id to TDF-Account (cloph)
- create certificate via XCode (Xisco)
- approve request with TDF-Account (cloph)
- create app-specific credentials (Xisco)
- add app-specific PW to local keychain (Xisco)
ideally should be sorted out Mid-October, in time for 6.4 cycle.
Updated by Xisco Fauli Tarazona about 5 years ago
Christian Lohmaier wrote:
Steps to grant TDF signing certificate:
- create apple-id account (Xisco)
Done. it's the same as my libreoffice email account
Updated by Xisco Fauli Tarazona about 5 years ago
I'm trying to create a certification as an 'Developer ID application' but it fails with this error: Permissions failure: Your account does not have permission to create Developer ID Application certificates.
I'll send a certificate signing request as described here: https://stackoverflow.com/questions/40670557/your-account-does-not-have-permission-to-create-ios-distribution-certificates/40670695#40670695
Updated by Florian Effenberger about 5 years ago
- Due date deleted (
2019-10-15)
Any progress, are there any blockers? I'd sleep a bit better to know you can also sign the Mac releases :-)
Updated by Florian Effenberger almost 5 years ago
- Subject changed from Mac singing certificate for standin to Mac signing certificate for standin
Any update on this?
Updated by Florian Effenberger over 4 years ago
- Target version changed from Q4/2019 to Q1/2020
Xisco, any progress? Anything you need from me for the moment?
Updated by Xisco Fauli Tarazona over 4 years ago
No progress since last time. I had problem uploading to Catalina so I have to reinstall everything from scratch. I still need to get back to it
Updated by Florian Effenberger over 4 years ago
- Target version changed from Q1/2020 to Q2/2020
Last status update is three months old - has there been progress in the meantime? Any blockers?
Updated by Christian Lohmaier over 4 years ago
- Target version changed from Q2/2020 to Q3/2020
We should definitely deal with that..
Steps are as laid out in the first message - create apple-ID, then I can send you an invite to the TDF develoment team. I double-checked and that is covered. you also have role "Developer"
https://developer.apple.com/support/roles/
→ but your account did not have "Access to Certificates, Identifiers & Profiles" that they introduced at some point…
Fixed that now, so you should be able to try again. (and you probably should also update your user profile you're "Sdfasdf Fauli" currently....
Updated by Xisco Fauli Tarazona over 4 years ago
Christian Lohmaier wrote:
We should definitely deal with that..
Steps are as laid out in the first message - create apple-ID, then I can send you an invite to the TDF develoment team. I double-checked and that is covered. you also have role "Developer"
https://developer.apple.com/support/roles/
→ but your account did not have "Access to Certificates, Identifiers & Profiles" that they introduced at some point…Fixed that now, so you should be able to try again. (and you probably should also update your user profile you're "Sdfasdf Fauli" currently....
Certificate created.
Christian Lohmaier, do you have to approve it ?
Updated by Christian Lohmaier over 4 years ago
You created the wrong type of certificate - you created a Development Certificate (one that doesn't need to be explicitly approved by the TDF account), not one that's used for production/distribution.
You need to create one of type "Developer ID Application" (that is the type used for stuff that is not distributed in appstore and is not an installer package)
https://help.apple.com/xcode/mac/current/#/dev154b28f09 → category macOS distribution → type Developer ID Application
Updated by Christian Lohmaier over 4 years ago
as for notarization:
submitting stuff to apple's notarization servers uses your apple-account to authenticate the request, and for that tool you created dedicated login credentials (as appleid otherwise mandates two-factor auth, the app-specific passwords are the only supported way)
https://appleid.apple.com/account/manage → in Security section: App-specific passwords → Generate password
That password can be stored in the keychain, so you don't have to enter it in plaintext on the commandline but instead can reference it with @keychain:LABEL_FOR_PASSWORDENTRY
see also https://support.apple.com/en-us/HT204397 & https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
Updated by Xisco Fauli Tarazona over 4 years ago
Information about notarization
- Move all the dmg files into a single directory for processing.
mv $(find workdir/installation/ -type f -name \*dmg) ~/installsets/
- Notarize
for file in *.dmg; do xcrun altool --notarize-app --primary-bundle-id "org.libreoffice.7003$(echo $file | awk -F_ '/langpack/{sub(/.dmg/,""); print "."$6} /sdk/{print ".sdk"}').dmg" --username "<your-apple-id@email>" --password "@keychain:NOTARIZE_APP" --file $file; done 2>&1 |tee -a ~/7003_notarize.log
-> The title of the mail will be "Your Mac software was not notarized." or "Your Mac software was successfully notarized."
NOTE: Recent failures were because apple's servers were not available/responding in a way the altool expected, so those already were local failures (that's where keeping local log comes into play) - After you get emails for all the files, staple the result to the dmg (so notarization works offline, if not stapled onto the file it requires internet access to query apple's server for the notarization result)
for file in *.dmg; do xcrun stapler staple $file; done 2>&1 |tee -a staple.log
Updated by Xisco Fauli Tarazona over 4 years ago
- Status changed from New to Resolved
Closing this ticket as RESOLVED since I'm able to build LibreOffice with a Developer ID certificate on my local machine. I'm also able to perform the notarization process as described in my previous comment.
Kudos to cloph for supporting me through the process.
Updated by Florian Effenberger over 4 years ago
- Status changed from Resolved to Closed
Great news! :)