[Script Recorder] Notarise Electron App #51
Comments
|
There's some administrative headache associated with accomplishing this. We're going to need a developer account with Apple. This is going to require working together with IT to get an account set up for us I suppose. @vigneshshanmugam any thoughts on this? |
|
Yes, we would need a company account for signing the distributable and notarizing the app. |
|
Do we know if we already have some facility elsewhere in Elastic for this? |
|
I thought about it yesterday and the best thing would be to ask the team responsible for "Elastic Shield" application. Probably IT helpdesk or infosec, dont have much clue. |
|
We do use an Apple developer account for notarization of artifacts that are published as part of our automated Release Manager process, but I don't know too many details surrounding how Apple structures permissions for the organization (if we're using a single shared account or if there is a concept of multiple users that fall under a shared developer agreement). IT manages our Apple account, so they would be best to answer the structure question, but the @elastic/infra-release area members might be able to provide some technical guidance on the existing notarization mechanisms we have in place. |
|
Hi, Currently we've got App IDs for a few Elastic products: The Endgame and Agent folks are the main active ones, I usually do renewal on the certs and profiles, or approved new devices. You may only need a Developer ID to sign your self-distributed apps, but I'm not sure of what the entitlements that your Synthetics recorder might be using? Maybe none? Otherwise it looks like we'd need to:
I am might be missing some things since I admin this but am not a dev using these services day-today. So indeed you might benefit from asking the other teams at Elastic who are releasing about this. Once we've got a good idea of App ID names, any entitlements or Services used, etc. we can move forward. Also just checking since this app is already being used in production, InfoSec has already had a chance to do whatever reviews they need to? Also, here's Apple's minimalist Help pages on these topics: https://help.apple.com/developer-account/#/ |
|
@brunerd looking at the list of entitlements, at a glance I don't think we need any of them per se.
The app is published as a dev preview at the moment, it's not seeing actual production use yet. We'll start the process with InfoSec soon though.
Could we add a group instead of individuals?
This should be |
|
As an aside, this is the reason we want to get progress on this issue. Users are greeted with this if they try to open from the Applications menu:
If they do the "command+click" method of opening it, they're still given a scary warning message:
|
|
Apple Developer accounts are created per user in "App Store Connect" and it can't leverage our Okta groups, it doesn't have that kind of integration. Requests come in via the it-eng github, here's some examples of the format and types of requests: We'll also need to set up the App ID (the bundle ID of the app), the Provisioning Profiles and assign tose profiles to the UUIDs of the Macs being used for dev work. |
|
Update here; we've created an issue to track the addition of users and provisioning of an app ID: (private repo) https://github.com/elastic/it-eng/issues/1146. We need some additional information, namely the UUID of the other developers' laptops not included in that list, as well as a final decision on the App ID to use when signing the bundle. When we're ready we can let the IT team know and they'll set up and provision the necessary resources for us. The rest of the team is out until the new year so we will need to wait a bit before we can complete this setup process. Once we're past that we can work to notarize the application and issue a new release that won't issue the warning. |
|
OK, I've created both the App ID Also, the |
|
Thanks @brunerd - I will try to let you know today if I encounter any snags. |
|
As an update here - we have successfully signed our binaries with developer certs, and all seems to work fine to a point. We are unable to notarize our binaries presently, details follow. The next stage as I understand it is to collaborate with the Infra team to create a process by which we can sign our binaries with Developer ID Installer certificates. These certificates will be signed with Elastic's org name (as opposed to the developer-signed binaries we can create locally, which use our developer name, i.e. Justin Kambic in my case). As such, the org does not distribute these certificates for unsupervised use by developers. I'll update back where when we have moved the new introduction of this process beyond initial stages. |
|
Hey @justinkambic - any update on this? |
|
Hi @drewpost - yes we are progressing on this. Notarization is a late-stage milestone of https://github.com/elastic/observability-robots/issues/1113, which is tracking the overall automation of all the release stages we'll need in order to be GA. We've recently merged #238, which takes care of signing the binaries with Elastic's official developer certificate. We will be doing some experimentation around notarizing these binaries after we ship our next release, which I'm hoping will be this week sometime. Once we have shipped a signed binary, I'll experiment with Apple's notarization service to see what additional work is needed (specifying entitlements, is it the right kind of cert, etc.), and we'll make whatever requisite changes to the CI process as needed. At that point, we should be able to automatically trigger a release that will take care of the signing, communication with the Apple service, and publishing the final release binary. It is possible there's a significant amount of discrete scope in that last bit that we won't uncover until we're working on it. |
|
After some additional investigation, you cannot submit to Apple's notarization service without access to the keychain that contains the certificate used for signing, so we're going to have to develop this piece of the pipeline completely within our CI environment. cc @v1v |
As long as the the notorization runs in the same CI worker where the Let me ping @mgreau , since he might have some ideas about this. The original support to sign the apple binaries was done in -> #238 |
|
@v1v yes I believe you are correct in that we should have no problem executing it as part of the signing process. There is an npm package that handles all of this with some minimal hookup code, but we've abstained from contributing it thus far as we were thinking of being able to leverage an existing process. The package that handles this does it in an automated way a la Electron Builder. |
|
I've started creating a draft adding notarization script to afterSign hook: #290 option 1. Using Worker having xcode13 installed:
option 2. Using current Worker:
@v1v Could you advise which option would be possible to take for us going forward? |
We might need to involve the release and CI systems team as they are the system owners and might know further about what certificates or xcode are available in the existing workers. @elastic/release-eng and @elastic/ci-systems , would you mind helping on this? @kyungeunni asked a few questions in #51 (comment) that you probably can provide further insights. |
|
We do have a task to upgrade the macOS signing workers to a newer OS, which would include upgrading Xcode. From that angle, I can see going down the option1. With that said, the work has been put on hold so far due to:
@kyungeunni what is your rough timeline for wrapping this up ? Would you potentially have some bandwidth in helping to manually provision (instructions) and validate the macOS worker if that's an option - the Release Eng team would normally do it, but as mentioned above, we have no bandwidth at the moment, and a collaboration may be the most effective approach. cc @mgreau |
|
Hello @nkammah! |
|
@kyungeunni I re-imaged I am validating that worker onto https://internal-ci.elastic.co/. Do you have a Jenkins job we can use to validate that it works on this worker for your app? |
|
Hi @nkammah, thanks for this update!! 🥇 I've triggered a Jenkins job that uses |
Is this something to be fixed on your end or on the worker's end? |
|
I wasn't sure which credentials are needed. Now, I found out we need to generate app-specific password and store it in the keychain, if it hasn't been done yet.
Then I'd need to use the References: |
|
Our Release Eng. team signing expert is not available atm, but it seems like this is how we do signing of other apps - would a similar approach work for your app? |
|
Thanks for sharing the reference! 👍 I'm trying out Electron focused notarisation tooling (https://github.com/electron/electron-notarize) so once we have the proper credential available for the recorder(I can see Endgame team also uses app-specific password), I think that should be an excellent first step. Also, I noticed we'd need to review the entitlements list too. It'd be great to consult with the expert in Realease Eng. team! (ofc when they are available :) ) |
|
Hi @v1v Is it possible for us to use notarize-macos-artifacts job for notarising? I found out we use the same credentials for all the mac apps. The scripts seems to be quite general so I was wondering if it'd be possible and also make sense to reuse the existing script. (Also I'd like to avoid exporting credentials to be used in the release scripts as we had security concerns) Here you can find threads and references regarding the notarisation: https://github.com/elastic/it-eng/issues/1654#issuecomment-1247620277 |
|
@kyungeunni @v1v feel free to take a stab at using the existing Jenkins job and reporting what you find out |
|
@kyungeunni I believe the problem is not with failing to copy the files, but rather than the app, or some portion of it, was already signed. We do have exceptions on some files already signed (see here) but it seems like in this case, this one is not listed. Did you sign |
|
Actually, I uploaded un-signed one(the one I built in my local machine). It is odd that it says it's already signed 🤔 . I thought it was something related to the artifacts not found in the expected directory as I was seeing these error code: |
|
The signing script starts by detecting all the path within the .zip file to be signed - in your app's case, it looks as below: The error we were receiving was that Looking at the order of path to sign, it seems like we're signing, in that order
Given that the command sign options we use are as below my initial theory was that the For experimentation sake, I removed the I don't know if this is because I tried to sign an arm64 binary on a non-arm mac. |
|
@kyungeunni I've been going on and on, trying different things, but it seems like the stapling is failing and I suspect because of an issue with the code structure. It links to a more detailed log visible here I have no idea why the file is called
|
|
A bit of update: @nkammah and I caught up in Slack and verified that we can notarize the app that is signed by our CD with In the meantime, we can notarize the latest release manually so that it is not blocked by the mentioned task above. |
IIUC, that's already in place in the existing Release stage -> synthetics-recorder/.ci/Jenkinsfile Lines 148 to 183 in 1559e65
If the notorizing is something to be done by another CI job provided by the Release team, then it could be similarly done as the one for signing the artifacts with the synthetics-recorder/.ci/Jenkinsfile Lines 221 to 224 in 1559e65 Let me know if the above is not the way to do it, and how you envision the macos notarisation. |
On macOS, we need to notarise our application to prevent Gatekeeper from throwing an error when it's run that requires a user to process a security exception. This requires admin access which a lot of users won't have, is a frustrating step for users who do have permissions and is reputation ally damaging.
https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/
The text was updated successfully, but these errors were encountered: