Re: [platform-dev] macOS 10.15 notarization process

["Lakshmi P Shanmugam" <lshanmug@xxxxxxxxxx>]

I've created a root bug to capture all the tasks required to Notarize the Mac app - https://bugs.eclipse.org/bugs/show_bug.cgi?id=549814

 

I think we could start with the Prepare Your Software for Notarization section [1] and open bugs to prepare Eclipse accordingly. We already have a bug [2] for signing errors in filesystem libraries.

 

[1] https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution?language=objc#3087727

[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=547159

 

Thanks & Regards,
Lakshmi P Shanmugam,
Eclipse Platform Co-lead,
India Software Lab, Bangalore

 

 

----- Original message -----
From: Thomas Singer <ts-swt@xxxxxxxxxxx>
Sent by: platform-dev-bounces@xxxxxxxxxxx
To: platform-dev@xxxxxxxxxxx
Cc:
Subject: [EXTERNAL] Re: [platform-dev] macOS 10.15 notarization process
Date: Mon, Aug 5, 2019 4:46 PM
 

Hi Mikaël,

No, the user usually uses a different application that can change files
inside the app bundle. According to my understanding, macOS 10.15 only
makes some part of the file system (containing the application)
read-only for the application itself - at least this is what I found out
so far.

--
Best regards,
Thomas Singer
=============
syntevo GmbH
https://www.syntevo.com 
https://www.syntevo.com/blog 


On 2019-08-05 11:43, Mikaël Barbero wrote:
>
>
>> Le 5 août 2019 à 11:35, Thomas Singer <ts-swt@xxxxxxxxxxx> a écrit :
>>
>> but I don't see a technical reason to not have them inside the .app structure unless they are changed by the application itself.
>
> Unless changed by the application itself or the end user (I'm thinking about -vmargs).
>
>>
>> --
>> Best regards,
>> Thomas Singer
>> =============
>> syntevo GmbH
>> https://www.syntevo.com  <https://www.syntevo.com/ >
>> https://www.syntevo.com/blog  <https://www.syntevo.com/blog >
>>
>>
>> On 2019-08-05 11:09, Mikaël Barbero wrote:
>>> I'm willing to help improving the CBI macOS signing to let project notarize their apps. However, I would need some help about the "Hardened Runtime capability". I guess this is something to be done on the Tycho or Equinox side first, correct?
>>> Also, from what I read here https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow#3087732 , the notarization process "typically takes less than an hour". It means that it could make the build much slower than it is today (esp. because today the signing process is synchronous with the build). Any idea how to change that? Should the signing/notarization occur in a separate CI job?
>>> @Thomas
>>> IIRC notarized apps cannot be modified, meaning that config files, p2 bundle pool etc.. can't live inside the .app anymore. Correct? If this is the case, how do you follow https://developer.apple.com/library/archive/documentation/CoreFoundation/Conceptual/CFBundles/BundleTypes/BundleTypes.html#//apple_ref/doc/uid/10000123i-CH101-SW13  more closely? Do you store config files, bundle pool etc. in folders recommended by https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/AccessingFilesandDirectories/AccessingFilesandDirectories.html#//apple_ref/doc/uid/TP40010672-CH3-SW11? 
>>> Thanks.
>>> Mikaël Barbero
>>> Team Lead - Release Engineering | Eclipse Foundation
>>> 📱 (+33) 642 028 039 | 🐦 @mikbarbero
>>> Eclipse Foundation <http://www.eclipse.org/ <http://www.eclipse.org/>>: The Platform for Open Innovation and Collaboration
>>>> Le 5 août 2019 à 10:35, Torkild U. Resheim <torkildr@xxxxxxxxx> a écrit :
>>>>
>>>> Hi all,
>>>>
>>>> I think I’m also seeing a problem related to the notarization process[1]. Using macOS 10.15 beta (19A526h) I downloaded and attempted to run the Eclipse installer which resulted in the following message:
>>>>
>>>> «Eclipse-inst-mac64.dmg» can’t be opened because Apple cannot check it for malicious software.
>>>>
>>>> Best regards,
>>>> Torkild
>>>>
>>>> [1] https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution 
>>>>
>>>>> 1. aug. 2019 kl. 13:46 skrev Thomas Singer <ts-swt@xxxxxxxxxxx>:
>>>>>
>>>>> Hello,
>>>>>
>>>>> According to my information, macOS 10.15 does not accept simple signed applications any more, but requires a more complicated "notarization" process that requires the application to be signed with "hardened runtime".
>>>>>
>>>>> I've successfully notarized our application, but it fails even on 10.14 with the following exception:
>>>>>
>>>>> java.lang.NullPointerException
>>>>> at org.eclipse.swt.widgets.Composite._getChildren(Composite.java:99)
>>>>> at org.eclipse.swt.widgets.Composite.reskinChildren(Composite.java:979)
>>>>> at org.eclipse.swt.widgets.ToolBar.reskinChildren(ToolBar.java:716)
>>>>> at org.eclipse.swt.widgets.Widget.reskin(Widget.java:423)
>>>>> at org.eclipse.swt.widgets.Widget.setData(Widget.java:1704)
>>>>>
>>>>> Did someone already got a non-trivial Java/SWT application signed/notarized correctly for macOS 10.15 that also runs without problems?
>>>>>
>>>>> --
>>>>> Best regards,
>>>>> Thomas Singer
>>>>> =============
>>>>> syntevo GmbH
>>>>> https://www.syntevo.com 
>>>>> https://www.syntevo.com/blog 
>>>>> _______________________________________________
>>>>> platform-dev mailing list
>>>>> platform-dev@xxxxxxxxxxx
>>>>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>>>>> https://www.eclipse.org/mailman/listinfo/platform-dev
>>>>
>>>> _______________________________________________
>>>> platform-dev mailing list
>>>> platform-dev@xxxxxxxxxxx
>>>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>>>> https://www.eclipse.org/mailman/listinfo/platform-dev
>>> _______________________________________________
>>> platform-dev mailing list
>>> platform-dev@xxxxxxxxxxx <mailto:platform-dev@xxxxxxxxxxx>
>>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/platform-dev <https://www.eclipse.org/mailman/listinfo/platform-dev>
>> _______________________________________________
>> platform-dev mailing list
>> platform-dev@xxxxxxxxxxx <mailto:platform-dev@xxxxxxxxxxx>
>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/platform-dev <https://www.eclipse.org/mailman/listinfo/platform-dev>
>
>
> _______________________________________________
> platform-dev mailing list
> platform-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/platform-dev
>
_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/platform-dev