Quicksilver is not codesigned #2654
Comments
|
I'd like to continue working on this. $ xcrun notarytool submit Quicksilver\ 1.6.1.dmg --wait --team-id '...' --apple-id '...' --password '...'
Conducting pre-submission checks for Quicksilver 1.6.1.dmg and initiating connection to the Apple notary service...
Error: HTTP status code: 403. Invalid or inaccessible developer team ID for the provided Apple ID. Ensure the Team ID is correct and that you are a member of that team.@skurfer would you add me to your Apple "team," which should allow me to sign using my own ID and password? Based on https://help.apple.com/developer-account/#/dev3e8818774 it should be: https://developer.apple.com/account -> |
|
Perhaps a handy Apple-official link to refer to in documentation: https://support.apple.com/en-us/HT202491 |
|
I don’t see “People”. Maybe because I have an individual membership and not a business? |
|
Ah, that makes sense.
|
|
WOOHOO! Got it. |
|
What a relief. @skurfer @pjrobertson can you guys take a look at https://github.com/quicksilver/Quicksilver/actions/runs/1913370728? I think the hard part (of signing) is done, but I'm sure there are a few more tweaks before merging. Specifically, I'm going to do a little tinkering tomorrow with (fake) repo secrets and convince myself of the security here. Again, I think limiting the Also, I'd like some feedback on #2655 (comment) -- specifically I think we'll probably want to continue the current logic for naming the DMG (the version part), but I think we'll likely need to manually keep track of the Good progress though, I'm psyched. |
|
Whoa! Notarization works and the DMG is accepted. Nice work! (I tried building and notarizing locally as well and got the same result.) What’s with the One small thing: My keychain profile is called “Quicksilver Notarization”. Can you make that an environment variable that just defaults to “Quicksilver” instead of hard-coding it?
What’s the use case? Would we ever want to release something with a version number that looked like that? Or would that only affect the DMG filename and not the app’s version? FYI, the version ultimately comes from |
|
Wooh! DMG and .app all verify correctly. Great work Nate!
As for triggering release builds, tags could work, but I still think simply pushing a commit “RELEASE” to master is simple enough. Some other thoughts in favour of this:
* I think it’s more readable to those visiting the repo - they can see the release info right in the commit history
* I’m not a big fan of how Github displays tags, as I think it can be confusing for users: e.g. I go to download what looks like version 1.6.1 (v1.6.1.tar.gz) of Quicksilver and it ends up being a load of jumbled code.
* As Rob pointed out - the version number doesn’t come from the tag itself, but from the QS_INFO_VERSION val - so by just pushing a commit to master, we wouldn’t need to actually *create* anything new.
I would also say we stay away from the idea of non-conforming naming/version numbers: e.g. ‘1.6.1-hotfix’ - I think that may just cause headaches down the line.
But tags vs. commit message - I could go either way really.
Couple of other points:
There are multiple artefacts here: https://github.com/quicksilver/Quicksilver/actions/runs/1913370728 Ideally there’d just be the DMG
I see there are a load of tags like 0.0.1 and 0.0.2 from last November. Looks like they were created by Nate. Can those be deleted?
… On 1 Mar 2022, at 10:13, Rob McBroom ***@***.***> wrote:
Whoa! Notarization works and the DMG is accepted. Nice work! (I tried building and notarizing locally as well and got the same result.)
What’s with the notarytool crash? Was it on one of the status checks? Because the process obviously worked.
One small thing: My keychain profile is called “Quicksilver Notarization”. Can you make that an environment variable that just defaults to “Quicksilver” instead of hard-coding it?
As an alternative, we could take 1.6.1 from the tag, which would give us some flexibility to e.g.: git tag 1.6.1-hotfix && git push --tags -> Quicksilver 1.6.1-hotfix.dmg
What’s the use case? Would we ever want to release something with a version number that looked like that? Or would that only affect the DMG filename and not the app’s version?
FYI, the version ultimately comes from QS_INFO_VERSION in Configuration/Developer, not Info.plist.
—
Reply to this email directly, view it on GitHub <#2654 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABEXH2MRVW2B7C2AJYOHATU5QTTNANCNFSM5PDFSMCA>.
Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.
|
|
Security: Their overview is pretty good: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions It covers topics like code injection via maliciously crafted PR titles (e.g. pull request title
I also used a separate account that I have, created a new repo, and then issues a PR from my main account that added a file to It does note on the page for managing secrets:
In keeping with this, in my testing, the secret was blank when the action was run from a PR sent in by a user that did not have write access to the test repository. So I think this all seems pretty good. |
I have no idea, wasn't really sure how to debug it either.
How about I just make it default to dc6cb77dab02e328b0fc4152d868a989417a38ac
For a beta release, for example.
I would think both -- continuing the example of a beta release, the DMG to make it obvious when a user goes through their downloads folder a month later that this was
Right, gotcha. I don't think the tag naming thing is particularly important, I'm fine going without if there's not a terrible lot of enthusiasm. We can always revisit later, it shouldn't hold us back. |
To clarify -- the release itself will actually go to the
No problem, we can revisit if we want to consider for beta testing at some point.
I'm not sure I agree -- the way I see it, the build artifacts serve a few purposes:
Additionally, IMO we do not generally want to build the full codesigned So I think the tags and build artifacts solve a few issues in a pretty easy way and have a few advantages:
Had forgotten about those. I'll take a look. |
Done mapfile -t tags < <(git tag --sort=creatordate --format='%(authorname) %(refname:lstrip=2)' |
awk '/^Nathan Henrie/ { print $NF }')
for tag in "${tags[@]}"; do
git tag --delete "${tag}"
git push origin :refs/tags/"${tag}"
donehttps://github.com/quicksilver/Quicksilver/tags Most recent is now https://github.com/quicksilver/Quicksilver/releases/tag/v1.6.1 |
|
I've since deleted it, but here is what appears on https://github.com/quicksilver/Quicksilver/releases when I run: git tag -s test-tag-release-2
As you can see it's successfully pulling the release name from I'm not sure why it replaced the space with a @pjrobertson I think this is pretty unambiguous (and comparable to many other large projects) with respect to the artifacts available on the releases page -- just the DMG and the source code (as compared to short-lived artifacts that are available for each run). |
|
Re: spaces in filename, I bet it's this, which references https://docs.github.com/en/rest/reference/releases#upload-a-release-asset:
|
|
Oh, and just double checking from the downloaded dmg: $ file Contents/MacOS/Quicksilver
Contents/MacOS/Quicksilver: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64:Mach-O 64-bit executable arm64]
Contents/MacOS/Quicksilver (for architecture x86_64): Mach-O 64-bit executable x86_64
Contents/MacOS/Quicksilver (for architecture arm64): Mach-O 64-bit executable arm64
$ file ./Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet
./Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64:Mach-O 64-bit executable arm64]
./Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet (for architecture x86_64): Mach-O 64-bit executable x86_64
./Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet (for architecture arm64): Mach-O 64-bit executable arm64@pjrobertson can make arm64 builds now :) I'm still working on a couple minor issues:
|
|
Looks good! Releases with source code + a DMG are good, as long as the source code files are named descriptively (
Agreed. Signed release only on a new tag or a special commit to master. Looks like you've gone with tag - looks good.
OK, that's good. I like that
OK, no problem then. If we're not expecting average users to go find artefacts, and we have a 'Release', then I'm fine with this.
For Quicksilver, but not plugins I guess ;-) hahaha. Jokes aside: I think we should stick to one person in charge of the release process. Historically it's been Rob. With that said, there are a few steps in the release process page which are still manual (maybe that's best for now):
One other point:
|
I will probably create a generic GitHub Actions workflow for plugins, perhaps then :)
👍
I don't know what a transifex is (yet), but looks like https://www.transifex.net/projects/p/quicksilver/ is down. $ dig +short 'transifex.net'
$https://downforeveryoneorjustme.com/transifex.net?proto=https&www=1
Creativity is often not my strong suit. How about |
@skurfer |
Fixes #2654 Issues addressed: - Provides separate GitHub Actions for building and signing (#2583 (comment)) - Provides separate script for debugging signing so you don't have to rebuild every time (requires exporting a few variables normally set in `qsrelease` - By default will still build *and* sign (for local builds) unless `QS_BUILD_ONLY` is set -- preserves current behavior - Uses GitHub Actions' artifacts to avoid re-building the entire project twice - Removes the "arbitrary volume size and hope it's big enough" workaround - Adds what I think should be the necessary changes for automatic notarization of the DMG Other changes: - Removes need for `buildDMG.pl` with no new dependencies - Reorders test *after* build, since the tests depend on `/tmp/QS/Configuration/Quicksilver.pch` - Split uploads into separate named actions - Copy the codesigned app to parent directory for easy acess - Create a zip of QS.app as a convenience build artifact - Specify release config for testing - Use `working-directory` instead of `cd` for several actions - Rename `release.yaml` to `ci.yaml` as it now has separate stages for build, sign, and release
|
So I think all my major issues and concerns have been addressed at this point. I've rebased, squashed, and force-pushed, so I think #2655 is ready to merge, which should close this issue. I'm happy to make more changes if desired (like renaming things) -- just let me know! |
Fixes #2654 Issues addressed: - Provides separate GitHub Actions for building and signing (#2583 (comment)) - Provides separate script for debugging signing so you don't have to rebuild every time (requires exporting a few variables normally set in `qsrelease` - By default will still build *and* sign (for local builds) unless `QS_BUILD_ONLY` is set -- preserves current behavior - Uses GitHub Actions' artifacts to avoid re-building the entire project twice - Removes the "arbitrary volume size and hope it's big enough" workaround - Adds what I think should be the necessary changes for automatic notarization of the DMG Other changes: - Removes need for `buildDMG.pl` with no new dependencies - Reorders test *after* build, since the tests depend on `/tmp/QS/Configuration/Quicksilver.pch` - Split uploads into separate named actions - Copy the codesigned app to parent directory for easy acess - Create a zip of QS.app as a convenience build artifact - Specify release config for testing - Use `working-directory` instead of `cd` for several actions - Rename `release.yaml` to `ci.yaml` as it now has separate stages for build, sign, and release
For previous discussions, see #2555
Quicksilver is currently not codesigned on release, causing issues with users opening it on their computer.
Attempts were made to fix codesigning in #2647, however those changes only codesign the app and not the DMG. Currently outstanding is codesigning the DMG.
This is the main blocking issue before we can get 2.0 out.
The text was updated successfully, but these errors were encountered: