Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added apple docs #184

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added apple docs #184

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions apple/certificates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Apple Certificates

Apple docs: https://developer.apple.com/support/certificates/

The process to create a new certificate signing request can be found here:
https://help.apple.com/developer-account/#/devbfa00fef7

Instructions on how to issue new certs:
https://mana.mozilla.org/wiki/pages/viewpage.action?spaceKey=RelEng&title=Signing#Signing-OSX&iOSSigning

### Notes
1. There's a limited amount of `Apple Distribution`, `Developer ID Installer`,
`Developer ID Application`, `iOS App Development` (and possibly others) that can
be issued and valid at the same time.
**BE EXTREMELY CAREFUL WITH ISSUED CERTIFICATES.**
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm a Relenger doing this for the first time, how would I be careful with them? This is a warning without enough detail.


1. `App Managers` with `Access to Certificates, Identifiers & Profiles` are able
to issue production level certificates. We should avoid giving out this type of
access.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to my guidelines comment elsewhere, let's change this to "don't give out this type of access unless ___". Approval from a small set of informed and trusted individuals may work; alternately, an explicit checklist may work if you want to avoid pings.


1. If we migrate to autograph/rcodesign, we won't need to hold the certificate in a keychain
21 changes: 21 additions & 0 deletions apple/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
Apple Developer Portal
======================
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: ideally we'd start moving to the tutorial/how-to/explanation/reference model in https://documentation.divio.com/. If we're creating an Apple section, it may be nice to link to the pages in https://github.com/mozilla-releng/scriptworker-scripts/wiki .


Apple developer portal can be accessed at https://developer.apple.com.
Credentials can be found in the RelEng SOPS under apple-accounts.yml

____
Bitrise: https://app.bitrise.io/users/sign_in.

Access given via ldap group in conjunction to a Bitrise account.
____


Contents:

.. toctree::
:maxdepth: 2

certificates.md
user_access.md
provisioning_profiles.md
6 changes: 6 additions & 0 deletions apple/provisioning_profiles.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Provisioning Profiles

Production profiles are used when developers want to bypass notarization.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have a "their use should be discouraged" type warning?


Development profiles include a list of devices, where the application will be
able to install and run without a production-level signing process.
19 changes: 19 additions & 0 deletions apple/user_access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Apple Account User Access
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we link to https://mana.mozilla.org/wiki/display/RelEng/Apple+App+Store+access ?


All mozilla apple (mac/iOS) developers will need an apple account. We should try
as much as possible only give out permissions to their @m.c accounts. Personal
accounts should be avoided in case the developer leaves the company and we don't
delete the apple account.

## Permissions
Roles are confusing!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are a bit vague, and it may be more helpful to the general Relenger if you guide them. E.g., "For developers, check these boxes." If you don't want to document every little thing, then it may come down to "if someone asks for something out of these guidelines, then ask ____". If you don't want to be pinged about these questions, then you likely want to document the edge cases.


An user with `Developer` Role, and
`Access to Certificates, Identifiers & Profiles` will only be able to access
development-level items. **The majority of developers will want this combination.**

`App Managers` with `Access to Certificates, Identifiers & Profiles` will be able
to issue production-level certificates. **It is very unlikely that we should
allow this type of access. Make sure the user understands this risk.**

Sales, Marketing and Finance users will likely want `Access to Reports`.
1 change: 1 addition & 0 deletions index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ Contents:
machine-users.rst
troubleshooting.rst
gecko_tests/index.rst
apple/index.rst

.. toctree::
:caption: Meta
Expand Down