-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Action required by Apple: Transition to the notarytool command-line utility #3385
Comments
According to the above TechNote:
This means we will have to migrate to Xcode>=13 for all releases by the end of the year. v16.x will be EoL but v18.x won't and is currently built on macOS 10.15 (Xcode 13 doesn't support it) |
We use |
For background, we implemented notarization using gon in nodejs/node#31459 and #2199, with discussion in nodejs/node#29216. Another tool, electron-notarize-cli, was mentioned in the context of OpenJDK -- this one looks like it has an option to use notarytool. I guess another question is whether we need another tool at all or whether we can directly use @UlisesGascon is this something you're interested in/have the time to look at? |
I'd be +1 in getting @UlisesGascon more access if that's needed to do this work and he's interested. |
First approach to integrate |
Next steps
|
? We don't install |
Great catch @richardlau! I updated the next steps |
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: #48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
@UlisesGascon I believe the latest node releases (including v18.18.2) are not being correctly notarised. When I download that release into a arm mac running Sonoma 14.0 and then try to run |
18.18.2 shouldn't have transitioned to the new notarization workflow -- we should still be using gon there 😕. |
This link won't be visible to people outside of build-infra and releasers, but https://ci-release.nodejs.org/job/iojs+release/9700/nodes=osx11-release-pkg/console shows the installer was notarized 🤷 : 15:42:18 2023-10-13T07:42:18.176-0700 [INFO] staple: executing stapler: file=node-v18.18.2.pkg command_path=/usr/bin/xcrun command_args=[xcrun, stapler, staple, node-v18.18.2.pkg]
15:42:18 2023-10-13T07:42:18.740-0700 [INFO] staple: stapling complete: file=node-v18.18.2.pkg
15:42:18 File notarized and stapled!
15:42:18
15:42:18 Notarization complete! Notarized files:
15:42:18 - node-v18.18.2.pkg (notarized and stapled) |
@richardlau the asset I'm using is this one https://nodejs.org/download/release/v18.18.2/node-v18.18.2-darwin-arm64.tar.gz and not the |
Notarization changes only affects the |
I can't reproduce:
|
@targos I cannot replicate this, even on macOS 14.0, in case I use However when I download it through the browser from for example https://nodejs.org/download/release/v19.9.0/ this is easily replicated. Are you able to replicate it this way too? |
Refs: nodejs/build#3385 (comment) PR-URL: #50291 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Richard Lau <rlau@redhat.com>
I can reproduce if the archive is downloaded using a web browser. |
Is it documented somewhere that plain executables must be notarized since macOS 14 ? |
Refs: nodejs/build#3385 (comment) PR-URL: #50291 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Richard Lau <rlau@redhat.com>
I created #3538 because it's not related to the notarytool migration. All releases are affected by the issue. |
* jenkins: remove macOS 10.x release machines related: #3385 (comment) * jenkins: improved version selector for macOS notarization * jenkins: removed macOS restrictions * jenkins: add restriction for MacOS 10 in Node21
* inventory: remove release-orka-macos10.15-x64-1 related: #3385 (comment) * inventory: remove release-nearform-macos10.15-x64-1 related: #3385 (comment)
I think that this task is achieved, so I will close it 🥳 🚀 So I will create a separate issue for |
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: #48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Refs: nodejs/build#3385 (comment) PR-URL: #50291 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: nodejs#48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Refs: nodejs/build#3385 (comment) PR-URL: nodejs#50291 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: #48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Refs: nodejs/build#3385 (comment) PR-URL: #50291 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: nodejs#48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: nodejs/node#48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Refs: nodejs/build#3385 (comment) PR-URL: nodejs/node#50291 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Refs: nodejs/build#3385 PR-URL: nodejs/node#48701 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Refs: nodejs/build#3385 (comment) PR-URL: nodejs/node#50291 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Build got this by email:
The text was updated successfully, but these errors were encountered: