Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Notarization through the Notary API #593

Closed
wants to merge 2 commits into from

Conversation

roblabla
Copy link
Contributor

This MR adds notarization through the Notary API.

Fixes #591

Currently, this is only implemented for code bundle signing. I need to implement pkg and dmg signing next, and do a lot of code cleanup.

This API is quite a bit faster than the old method. My code gets notarized in around 20 seconds with this API, whereas it took around a minute with the old Transporter API.


Note that I'm also having a very messy dependency hell issue. PyOxidizer depends on pgp, that fell in the pitfall of using non-standard dependency version requirements on zeroize... This means that it is currently impossible to use pgp and aws-sdk-s3 in the same dependency graph. I have reported the problem to pgp, and have a patch to fix the issue.

Hopefully pgp will release a new version to fix this issue.

@indygreg
Copy link
Owner

Thank you for submitting this!

Regarding the dependency hell issue, yes, this is something I've run into as well. pgp is using some old crate versions and is holding back upgrading a lot of dependencies in apple-codesign as well as other crates in this repo. It is super annoying. rpgp/rpgp#165 should hopefully fix most issues. Although I wasn't aware of that non-standard pinning of the zeroize crate. Maybe your PR will be sufficient to unlock progress, as the zeroize crate is the one that breaks most frequently when I try to modernize crypto dependencies in this repo.

Copy link
Owner

@indygreg indygreg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for this PR! Using the new notarization API and deleting the old transporter code should definitely be the marquee feature for the next release of this create and I can't wait to ship pure Rust notarization!

The approach so far in this PR seems very reasonable to me. I don't see any roadblocks other than the pgp crate patching. Regarding the pgp crate, ideally we'd wait for them to publish a new version. But I'm not opposed to shipping a version with a patched pgp crate as a temporary workaround. At the very least I'd like to see that crate accept a PR with a fix, as I would prefer to pin to an unreleased commit in the crate's canonical repo. I suppose we'll wait and see what happens with your PR.

Since this is marked as a work in progress, I guess ping me when you think this is ready for a real review. If you don't want to push this PR over the finish line, that's fine by me too: I can finish it the next time I sit down to hack on this project.

Thank you again for your work on this feature!

apple-codesign/src/notarization.rs Outdated Show resolved Hide resolved
apple-codesign/src/notarization.rs Show resolved Hide resolved
@roblabla
Copy link
Contributor Author

Alright so I should have gotten PKG and DMG in. I still need to actually test it works (only bundle was tested for now), and assuming it all works, make the commit history a bit nicer :^).

Another thing I'd like to improve is getting richer error information by extracting it from the submission logs. There's a lot of really useful information in there, but right now it's printed as an ugly json blob. I want to add some method to pretty print it.

@indygreg
Copy link
Owner

indygreg commented Jul 1, 2022

Looks like your zeroize PR merged in the rpgp repo! Hopefully that means a release is near. If not, I'm not opposed to throwing up a fork on crates.io as a workaround: I'm tired of working around dependency hell resulting from that crate.

@roblabla
Copy link
Contributor Author

roblabla commented Jul 1, 2022

rpgp 0.8 just got released 🎉

@roblabla roblabla force-pushed the notarization-api branch 2 times, most recently from 3ade94c to 30252ca Compare July 5, 2022 12:02
@indygreg
Copy link
Owner

indygreg commented Jul 7, 2022

I was having my own go at upgrading dependencies and it looks like yubikey depending on rsa 0.5 is going to be a hurdle. I filed iqlusioninc/yubikey.rs#393 to request a release.

@roblabla
Copy link
Contributor Author

roblabla commented Jul 7, 2022

Yeah, I ran into yubikey-rs problems, and also rpm-rs problems. See https://github.com/roblabla/rpm-rs/tree/update-packages

This replaces the notarization codepath to use the new REST API made
available by Apple in WWDC22. This API is entirely documented, and meant
for direct user consumption[0].

As a result, this commit also removes the codepath using the Transporter
API for notarization, and thus the requirement for the iTMSTransporter
tool to be present on the machine for notarization.

Note that the API has some undocumented bits that were discovered
through trial and error. One such bit is that the S3 token that apple
returns to upload files are valid for the us-west-2 region.

[0]: https://developer.apple.com/documentation/notaryapi/submitting_software_for_notarization_over_the_web
@indygreg
Copy link
Owner

indygreg commented Aug 6, 2022

I haven't forgotten about this PR. I wanted to get the dependency upgrades merged first because they are a pain to update. As I was doing that, I discovered a dependency hell due to the yubikey-rs crate and wanted to get that resolved. It is kind of in limbo at the moment. I'll try to find time to take a look at this over the weekend.

Copy link
Owner

@indygreg indygreg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I incrementally applied this PR locally, crafting a few separate commits from your work. I retained your authorship of those commits.

I need to spend some time testing this and updating docs to reflect the new state. But at this point the code is pretty much locked in and will be pushed, hopefully some time this weekend. The PR should automatically close when I do so.

I sincerely thank you for this contribution. Pure Rust notarization was the last major missing feature for this crate and I'm excited it is finally implemented! I'll try to push out a new release with this major feature soon as well. (But there are some other known bugs with the crate that I may want to try to fix first.)

Comment on lines +332 to +367
#[derive(Clone, Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct Issue {
pub architecture: String,
pub code: Option<u64>,
pub doc_url: Option<String>,
pub message: String,
pub path: String,
pub severity: String,
}

#[derive(Clone, Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct TicketContent {
pub arch: String,
pub cdhash: String,
pub digest_algorithm: String,
pub path: String,
}

#[derive(Clone, Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct NotarizationLogs {
pub archive_filename: String,
#[serde(default)]
pub issues: Vec<Issue>,
pub job_id: String,
pub log_format_version: u64,
pub sha256: String,
pub status: SubmissionResponseStatus,
pub status_code: u64,
pub status_summary: String,
#[serde(default)]
pub ticket_contents: Vec<TicketContent>,
pub upload_date: String,
}
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, how did you derive these types? AFAICT they are undocumented.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just looked at what data the endpoint was returning.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also another thing: I found out by trial and error that the correct S3 region to upload the data to is us-west-2, but this is not documented anywhere... I'm not sure how apple expects us to figure this out.

indygreg pushed a commit that referenced this pull request Aug 6, 2022
This defines the types and HTTP APIs for interacting with Apple's
Notary API.

Commit derived from #593.
@indygreg indygreg closed this in 3e4944f Aug 6, 2022
@indygreg
Copy link
Owner

indygreg commented Aug 6, 2022

As you can see, I pushed this. I also did a bit of refactoring after the push, mostly to clean up the UI around notarization.

The one part of your PR I did not preserve is the structs for parsing the log JSON. We don't need that yet, as we just print the JSON instead.

I did add your GitHub username and reported full name from your GitHub profile to the changelog. And I plan to say something similar in an upcoming blog post about the pending 0.17 release. If you would like me to withhold your username or full name or identify you some other way, just let me know and I'll respect your wishes. I'll likely publish 0.17 on Sunday and the blog post on Monday morning California time.

Thanks again for this amazing contribution!

@roblabla roblabla deleted the notarization-api branch August 7, 2022 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[apple-codesign] Use new REST API for notarization
2 participants