Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] MacOS notarization

Hi Mikael,

Thanks for the hint. I updated the target platform and the build succeeds with the notarization now.

As I am no mac user, I can't verify the result on mac. But I asked a user to verify it for me.

As you asked me to do, I added my notes to https://wiki.eclipse.org/IT_Infrastructure_Doc

I hope that information is correct and helps others in signing and notarizing their apps.

Greez,
Dirk

Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> schrieb am Di., 2. Juni 2020, 15:19:
From the build logs, it seems that you're buidling an app with an old version of the launcher (org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.700.v20180518-120). You need to upgrade your dependencies to at least 2019-09 IIRC (the first one with hardened runtime enabled for launcher and native libraries).

Cheers,

Mikaël Barbero 
Team Lead - Release Engineering | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

Le 2 juin 2020 à 13:46, Dirk Fauth <dirk.fauth@xxxxxxxxx> a écrit :

Hi Mikael,


Hope that helps in finding the issue.

Greez,
Dirk

On Tue, Jun 2, 2020 at 12:33 PM Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Dirk,

Could you please try again so I can find the logs more easily? Thanks.

Cheers,

Mikaël Barbero 
Team Lead - Release Engineering | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

Le 28 mai 2020 à 09:36, Sravan K Lakkimsetti <sravankumarl@xxxxxxxxxx> a écrit :

I don’t have any other suggestions now. We need to wait for Mikael to return from his vacation.
 
Thanks
Sravan
 
From: Dirk Fauth <dirk.fauth@xxxxxxxxx> 
Sent: 27 May 2020 11:38
To: Common-build Developers discussion <cbi-dev@xxxxxxxxxxx>
Subject: [EXTERNAL] Re: [cbi-dev] MacOS notarization
 
Hi,
 
thanks for the hint. But it seems this is not the the cause. I had some conversation with Mikael before writing to this mailing list. And he said that actually the default signerUrl redirects to the correct service.
 
I tested it anyhow to see if there is some issue with the default and added the signerUrl like you suggested. But I still get the same errors.
 
Any other suggestions?
 
Greez,
Dirk
 
On Fri, May 22, 2020 at 9:56 AM Sravan K Lakkimsetti <sravankumarl@xxxxxxxxxx> wrote:
 
Thanks
Sravan
 
From: Sravan K Lakkimsetti <sravankumarl@xxxxxxxxxx> 
Sent: 20 May 2020 21:13
To: Common-build Developers discussion <cbi-dev@xxxxxxxxxxx>
Subject: [EXTERNAL] Re: [cbi-dev] MacOS notarization
 
Hi,
 
There are multiple stages in the notarization process
 
  1. Sign native libraries and executables with hardened runtime and entitlements. (platform team does this nothing to be done from end user side unless you have a native library)
  2. Create eclipse app you can use tycho-p2-director-plugin (See https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/sdk/pom.xml#n49)
  3. Sign eclipse app with hardened runtime and entitlements you can use mac signer plugin (see https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/sdk/pom.l#n108). Probably you missed this step
  4. Create signed dmg you can use eclipse-dmg-packager (see https://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/sdk/pom.xml#n127)
  5. Then notarize your application.
 
From the message I suspect you may be missing step 3. In step 3 we specify explicit signer url. Please use that other wise you will not have secure timestamp ot hardened runtime enabled
 
Hope this helps
Sravan
 
From: Dirk Fauth <dirk.fauth@xxxxxxxxx> 
Sent: 20 May 2020 20:02
To: Common-build Developers discussion <cbi-dev@xxxxxxxxxxx>
Subject: [EXTERNAL] Re: [cbi-dev] MacOS notarization
 
Hi,
 
thanks for the hint. It seems that really the issue was that I tried to trigger to notarization from the download area. Moving it to the Jenkins area works. But now I get errors from the notarization service.
 
The signature does not include a secure timestamp.
The executable does not have the hardened runtime enabled.
The binary is not signed.
 
I have added the following to the pom.xml of the product project.
 
    <plugin>
            <groupId>org.eclipse.cbi.maven.plugins</groupId>
            <artifactId>eclipse-dmg-packager</artifactId>
            <version>${cbi-version}</version>
            <executions>
              <execution>
                <goals>
                  <goal>package-dmg</goal>
                </goals>
                <phase>integration-test</phase>
                <configuration>
                  <source>${project.build.directory}/products/org.eclipse.nebula.widgets.nattable.examples.e4.product-macosx.cocoa.x86_64.tar.gz</source>
                  <continueOnFail>true</continueOnFail>
                  <timeoutMillis>600000</timeoutMillis> <!-- 10 min -->
                  <continueOnFail>${macSigner.forceContinue}</continueOnFail>                  
                  <sign>true</sign>
                </configuration>
              </execution>
            </executions>
          </plugin>
 
The cbi-version is 1.1.8-SNAPSHOT. Any idea why the created dmg file seems to be incorrect?
 
Greez,
Dirk
 
On Wed, May 20, 2020 at 3:03 PM Denis Roy <denis.roy@xxxxxxxxxxxxxxxxxxxxxx> wrote:
What is your complete curl command?
 
Are you using curl file:/// ?
 
On 2020-05-19 1:40 p.m., Dirk Fauth wrote:
Hi, 
 
I am trying to get the signing and notarization working for MacOS for the NatTable Example application. 
 
 
I tried to adapt the shell script from platform and Oomph, but it seems my knowledge of curl etc. are not good enough. I always get the following error:
 
curl: (26) couldn't open file "org.eclipse.nebula.widgets.nattable.examples.e4.product-macosx.cocoa.x86_64.dmg"
 
Although I think I am in the right directory and things should work. I really don't understand what is going wrong. It would be great if someone could lend me an hand on solving this problem. 
 
As Mikael already asked me to do, I will also write some hints in the wiki about the notarization etc. to help others in the future. But to do so it should work at least. Probably I am only missing some simple thing, but I really don't see what.
 
Greez,
Dirk
 
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
-- 
Denis Roy
Director, IT Services | Eclipse Foundation, Inc.
Eclipse Foundation: The Platform for Open Innovation and Collaboration
Twitter: @droy_eclipse
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
 
 
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev

Back to the top