Sign/notarize pkg installer

[marisademeglio]

The current pkg installer is not code-signed or notarized. Now that this is supported as of electron-notarize 2.3.0, we should try to do this.

[marisademeglio]

We will need to build this into the workflow that generates a distributable installer. In the meantime, I tried to submit the generated pkg installer for notarization via command line but it was unsuccessful though the error it gave did not make sense. Here's what I tried:

1. Build the release (output edited for length):

~/dev/pipeline-ui main* ⇣
❯ yarn dist --mac
...
  • packaging       platform=darwin arch=x64 electron=21.3.1 appOutDir=dist/mac
  • signing         
  • building        target=pkg arch=x64 file=dist/daisy-pipeline-1.3.0-mac.pkg
✨  Done in 355.75s.

2. Submit the pkg file for notarization

~/dev/pipeline-ui/dist main* ⇣
❯ xcrun notarytool submit daisy-pipeline-1.3.0-mac.pkg --apple-id=****** --password=****** --team-id=******
Conducting pre-submission checks for daisy-pipeline-1.3.0-mac.pkg and initiating connection to the Apple notary service...
Submission ID received
  id: ******
Upload progress: 100.00% (183 MB of 183 MB)
Successfully uploaded file
  id: ******
  path: /Users/marisa/dev/pipeline-ui/dist/daisy-pipeline-1.3.0-mac.pkg

3. After some time, get the log, see status=Invalid:

~/dev/pipeline-ui/dist main* ⇣
❯ xcrun notarytool log ***NotarizationJobID*** --apple-id=****** --password=****** --team-id=******
{
  "logFormatVersion": 1,
  "jobId": "***NotarizationJobID",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "daisy-pipeline-1.3.0-mac.pkg",
  "uploadDate": "2024-04-26T21:36:37.600Z",
  "sha256": "*******",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "daisy-pipeline-1.3.0-mac.pkg",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": null
    }
  ]
}

4. Inspect the binary as per the instructions at the docUrl. See that it is indeed signed.

~/dev/pipeline-ui/dist main* ⇣
❯ mkdir tmp && cd tmp && xar -xf ../daisy-pipeline-1.3.0-mac.pkg
❯ cpio -i < org.daisy.pipeline-ui.pkg/Payload
789644 blocks
❯ codesign -v -vvv --strict --deep DAISY\ Pipeline.app
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/DAISY Pipeline Helper (GPU).app
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/DAISY Pipeline Helper (GPU).app
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/ReactiveObjC.framework/Versions/Current/.
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/ReactiveObjC.framework/Versions/Current/.
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/DAISY Pipeline Helper (Plugin).app
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/DAISY Pipeline Helper (Plugin).app
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/DAISY Pipeline Helper (Renderer).app
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/DAISY Pipeline Helper (Renderer).app
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/DAISY Pipeline Helper.app
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/DAISY Pipeline Helper.app
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--prepared:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/Helpers/chrome_crashpad_handler
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/Helpers/chrome_crashpad_handler
--validated:/Users/marisa/dev/pipeline-ui/dist/tmp/DAISY Pipeline.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
DAISY Pipeline.app: valid on disk
DAISY Pipeline.app: satisfies its Designated Requirement

@danielweck any thoughts here? I was hoping to at least be able to build a signed pkg installer for distribution now, and figure out the workflow integration later.

[danielweck]

"message": "The binary is not signed."

...it looks like they're expecting the PKG itself to be signed?

[marisademeglio]

Ah that's a good point, I was reading Notarization Failed for "The binary is not signed" that pointed to the app file being the issue, but it seems that pkg files must be signed too. Which brings me to... we need a different type of signing identity to sign pkg files! It says

An installer signing identity (not an application signing identity) is required for signing flat-style products.)

@rdeltour is this available from our developer account?

productbuild --sign "Developer ID Application: US Fund for DAISY (******)" --component mac/DAISY\ Pipeline.app /Applications daisy-pipeline.pkg
productbuild: Adding component at /Users/marisa/dev/pipeline-ui/dist/mac/DAISY Pipeline.app
productbuild: error: Cannot write product to "daisy-pipeline.pkg". 
(Could not find appropriate signing identity for “Developer ID Application: US Fund for DAISY (******)”. 
An installer signing identity (not an application signing identity) is required for signing flat-style products.)

[marisademeglio]

This was an issue with Apple certificates, now resolved. The signing/notarizing of the pkg file has to be done on the command line:

Get the IDs of the installed certificates
❯ security find-identity -v 

Sign the pkg
❯ productsign --sign "<ID of Developer ID Installer certificate>"  daisy-pipeline-1.3.0-mac.pkg daisy-pipeline-1.3.0-mac-signed.pkg

Notarize the pkg
❯ xcrun notarytool submit daisy-pipeline-1.3.0-mac-signed.pkg --apple-id=<your-apple-id> --password=<i-forget-where-this-password-came-from-its-not-my-apple-one> --team-id=SAMG8AWD69

notarytool info and log commands can be used to check the status

staple the pkg
❯ xcrun stapler staple daisy-pipeline-1.3.0-mac-signed.pkg

verify
❯ spctl --assess --verbose --type install daisy-pipeline-1.3.0-mac-signed.pkg
daisy-pipeline-1.3.0-mac-signed.pkg: accepted
source=Notarized Developer ID

Still todo:

• include this as part of our build process.
• see add notarization to github actions build workflow #156