Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Action required by Apple: Transition to the notarytool command-line utility #3385

Closed
targos opened this issue Jun 14, 2023 · 19 comments
Closed

Comments

@targos
Copy link
Member

targos commented Jun 14, 2023

Build got this by email:

We’re reaching out because you recently used the altool command-line utility to notarize your macOS software with Apple. As announced last year at WWDC22, if you’re still using altool with the Apple notary service, you should transition to the notarytool command-line utility as soon as possible. Notarizing software with altool was deprecated in Xcode 13, and the Apple notary service will no longer accept uploads from altool as of November 1, 2023. Existing notarized software will continue to function properly.

For information on notarizing your apps, read TechNote TN3147: Migrating to the latest notarization tool.

@targos
Copy link
Member Author

targos commented Jun 14, 2023

According to the above TechNote:

If xcrun can’t find the tool, make sure you have Xcode 13 or later selected:

This means we will have to migrate to Xcode>=13 for all releases by the end of the year. v16.x will be EoL but v18.x won't and is currently built on macOS 10.15 (Xcode 13 doesn't support it)

@targos
Copy link
Member Author

targos commented Jun 14, 2023

We use gon to notarize the pkg. The tool doesn't support notarytool and doesn't seem to be maintained anymore.

https://github.com/nodejs/node/blob/b0e08d178ed3fcb4442324f70154d5f36f8dfcc2/tools/osx-notarize.sh#L3

@richardlau
Copy link
Member

For background, we implemented notarization using gon in nodejs/node#31459 and #2199, with discussion in nodejs/node#29216.

Another tool, electron-notarize-cli, was mentioned in the context of OpenJDK -- this one looks like it has an option to use notarytool.

I guess another question is whether we need another tool at all or whether we can directly use notarytool. https://developer.apple.com/videos/play/wwdc2021/10261/ suggests that notarytool can now wait for the notarization to succeed (or I guess fail) whereas previously with altool there needed to be a polling loop (which for us was provided by gon).

@UlisesGascon is this something you're interested in/have the time to look at?

@mhdawson
Copy link
Member

I'd be +1 in getting @UlisesGascon more access if that's needed to do this work and he's interested.

@UlisesGascon
Copy link
Member

First approach to integrate notarytool is here: nodejs/node#48701 🎉

@UlisesGascon
Copy link
Member

UlisesGascon commented Sep 21, 2023

Next steps

@richardlau
Copy link
Member

  • Remove the gon installation from Ansible

? We don't install gon via Ansible. It get installed (if not already present) via https://github.com/nodejs/node/blob/718a1cf0ceb098748d8b1c01e2c3f81259d7d0e3/tools/osx-notarize.sh#L26-L29 (which is a risk as it means potential interference with the macOS release binaries if the upstream URL being fetched ever gets compromised).

@UlisesGascon
Copy link
Member

Great catch @richardlau! I updated the next steps

mhdawson pushed a commit to nodejs/node that referenced this issue Sep 28, 2023
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>

Refs: nodejs/build#3385
PR-URL: #48701
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
@mistic
Copy link

mistic commented Oct 18, 2023

@UlisesGascon I believe the latest node releases (including v18.18.2) are not being correctly notarised.

When I download that release into a arm mac running Sonoma 14.0 and then try to run ./bin/node using the terminal I'm getting a security notice that you can check in the following image

Screenshot 2023-10-18 at 18 36 16

@richardlau
Copy link
Member

18.18.2 shouldn't have transitioned to the new notarization workflow -- we should still be using gon there 😕.

@richardlau
Copy link
Member

This link won't be visible to people outside of build-infra and releasers, but https://ci-release.nodejs.org/job/iojs+release/9700/nodes=osx11-release-pkg/console shows the installer was notarized 🤷 :

15:42:18 2023-10-13T07:42:18.176-0700 [INFO]  staple: executing stapler: file=node-v18.18.2.pkg command_path=/usr/bin/xcrun command_args=[xcrun, stapler, staple, node-v18.18.2.pkg]
15:42:18 2023-10-13T07:42:18.740-0700 [INFO]  staple: stapling complete: file=node-v18.18.2.pkg
15:42:18     File notarized and stapled!
15:42:18 
15:42:18 Notarization complete! Notarized files:
15:42:18   - node-v18.18.2.pkg (notarized and stapled)

@mistic
Copy link

mistic commented Oct 19, 2023

@richardlau the asset I'm using is this one https://nodejs.org/download/release/v18.18.2/node-v18.18.2-darwin-arm64.tar.gz and not the pkg

@targos
Copy link
Member Author

targos commented Oct 19, 2023

Notarization changes only affects the pkg.

@targos
Copy link
Member Author

targos commented Oct 19, 2023

I can't reproduce:

$ wget https://nodejs.org/download/release/v18.18.2/node-v18.18.2-darwin-arm64.tar.gz
$ tar xf node-v18.18.2-darwin-arm64.tar.gz
$ ./node-v18.18.2-darwin-arm64/bin/node
Welcome to Node.js v18.18.2.
Type ".help" for more information.
>

UlisesGascon added a commit to UlisesGascon/node that referenced this issue Oct 19, 2023
UlisesGascon added a commit to UlisesGascon/node that referenced this issue Oct 19, 2023
@mistic
Copy link

mistic commented Oct 19, 2023

@targos I cannot replicate this, even on macOS 14.0, in case I use wget or curl -OL to download the .tar.gz file.

However when I download it through the browser from for example https://nodejs.org/download/release/v19.9.0/ this is easily replicated. Are you able to replicate it this way too?

nodejs-github-bot pushed a commit to nodejs/node that referenced this issue Oct 21, 2023
Refs: nodejs/build#3385 (comment)
PR-URL: #50291
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
@targos
Copy link
Member Author

targos commented Oct 22, 2023

I can reproduce if the archive is downloaded using a web browser.

@targos
Copy link
Member Author

targos commented Oct 22, 2023

Is it documented somewhere that plain executables must be notarized since macOS 14 ?

targos pushed a commit to nodejs/node that referenced this issue Oct 23, 2023
Refs: nodejs/build#3385 (comment)
PR-URL: #50291
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
@targos
Copy link
Member Author

targos commented Oct 23, 2023

I created #3538 because it's not related to the notarytool migration. All releases are affected by the issue.

UlisesGascon added a commit that referenced this issue Oct 26, 2023
* jenkins: remove macOS 10.x release machines

related: #3385 (comment)

* jenkins: improved version selector for macOS notarization

* jenkins: removed macOS restrictions

* jenkins: add restriction for MacOS 10 in Node21
UlisesGascon added a commit that referenced this issue Oct 26, 2023
* inventory: remove release-orka-macos10.15-x64-1

related: #3385 (comment)

* inventory: remove release-nearform-macos10.15-x64-1

related: #3385 (comment)
@UlisesGascon
Copy link
Member

I think that this task is achieved, so I will close it 🥳 🚀

So I will create a separate issue for --keychain-profile as is the only task pending related to notarytool.

targos pushed a commit to nodejs/node that referenced this issue Oct 28, 2023
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>

Refs: nodejs/build#3385
PR-URL: #48701
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
targos pushed a commit to nodejs/node that referenced this issue Oct 28, 2023
Refs: nodejs/build#3385 (comment)
PR-URL: #50291
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
alexfernandez pushed a commit to alexfernandez/node that referenced this issue Nov 1, 2023
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>

Refs: nodejs/build#3385
PR-URL: nodejs#48701
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
alexfernandez pushed a commit to alexfernandez/node that referenced this issue Nov 1, 2023
Refs: nodejs/build#3385 (comment)
PR-URL: nodejs#50291
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
richardlau pushed a commit to nodejs/node that referenced this issue Nov 7, 2023
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>

Refs: nodejs/build#3385
PR-URL: #48701
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
richardlau pushed a commit to nodejs/node that referenced this issue Nov 7, 2023
Refs: nodejs/build#3385 (comment)
PR-URL: #50291
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
debadree25 pushed a commit to debadree25/node that referenced this issue Apr 15, 2024
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>

Refs: nodejs/build#3385
PR-URL: nodejs#48701
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
sercher added a commit to sercher/graaljs that referenced this issue Apr 25, 2024
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>

Refs: nodejs/build#3385
PR-URL: nodejs/node#48701
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
sercher added a commit to sercher/graaljs that referenced this issue Apr 25, 2024
Refs: nodejs/build#3385 (comment)
PR-URL: nodejs/node#50291
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
sercher added a commit to sercher/graaljs that referenced this issue Apr 25, 2024
Signed-off-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>

Refs: nodejs/build#3385
PR-URL: nodejs/node#48701
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
sercher added a commit to sercher/graaljs that referenced this issue Apr 25, 2024
Refs: nodejs/build#3385 (comment)
PR-URL: nodejs/node#50291
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants