Please sign and notarize macOS app

[mfilippov]

I can't run macOS app I got message:

ASP: Security policy would not allow process: 39917, /Applications/StructuredLogViewer.app/Contents/MacOS/StructuredLogViewer.Avalonia

[KirillOsenkov]

I don’t know how to do that.

[mfilippov]

This GitHub action contains example of app sign and notarization https://github.com/marketplace/actions/xcode-notarization

[hez2010]

To acquire the ApiKey used in app sign, developers must pay $99 per year to Apple. I don't think it is feasible for a free open-source project.
I would instead recommend you sign the app by yourself using a self-issued certificate.

[KirillOsenkov]

I did buy a Comodo code signing certificate to sign Windows .exes here:
https://comodosslstore.com/code-signing/comodo-individual-code-signing-certificate

Could I use that to sign or is that not applicable on Mac?

[KirillOsenkov]

I also have a SignPath certificate for open source projects provided by SignPath. Wondering if I can use that?

@SabotageAndi would you know?

[mfilippov]

No, for macOS sign, you need Apple Developer Subscription. It is also required to publish an app to the macOS AppStore. I have this subscription. I could publish this app as a free app from my subscription if it is suitable for you.

[KirillOsenkov]

That would be nice, thanks for the offer!

[mfilippov]

Cool I will try. The version v2.1.820 crashed on macOS.

[jwosty]

This is the only thing preventing distribution via Homebrew: Homebrew/homebrew-cask#156909 (comment)

In the meantime, I've put the cask in a third party repo (https://github.com/jwosty/homebrew-structuredlogviewer), so you can install it like so brew install --cask jwosty/structuredlogviewer/structuredlogviewer

[maxkatz6]

@KirillOsenkov I can help with sign and notarize scripts for this task. But it requires some preparation from you with apple dev account.
Previously I did that for self-hosted macOS virtual machines, but it should work on public github machines too (need to deal with certificate export).

More or less comprehensive list of what needs to be prepared on macOS machine owned by you:

1. Create Apple Developer account.
2. Create "Developer ID Application" certificate on https://developer.apple.com/account/resources/certificates/list page.
   2.1. It will ask you to create a Certificate Signing Request, this page explains how https://developer.apple.com/help/account/create-certificates/create-a-certificate-signing-request/
   2.2. Download and install created certificate.
   2.3. Note, this also will bound this certificate to your machine. We will need workaround that later.
3. Create app identifier on https://developer.apple.com/account/resources/identifiers/list
   3.1. Right now, you have "structuredlogviewer" as an app identifier. I am not sure if it's a valid one, probably "com.MSBuildStructuredLog" will be necessary. Either way, apple dashboard should let you know if ID is invalid or not.
4. (Optional) With certificate and id it's possible to create Provisioning Profile on the same page. It doesn't seem to be necessary now (I had signing and notarizing done successfully without it), but it likely will be soon.
5. Export certificate from your machine and protect it with password: https://stackoverflow.com/questions/14954074/export-development-certificate-as-p12.
6. Copy p12 certificate and provisioning profile to the git. Note: it might be a good idea to additionally encrypt p12 cert.
7. Prepare CI secrets:
   7.1. p12 password(s)
   7.2. Your apple dev-account email and password. Password needs to be an app-specific password https://support.apple.com/en-us/102654

And changes to the build script that needs to be made (can be done by anybody, as it doesn't require apple dev account access at this point). All of these steps below can be automated in the script for each build:

1. Install p12 certificate using certificate file and secrets.
2. Include provisioning profile with app bundle.
3. Sign binaries with Apple cert and proper identity.
4. Zip bundle, upload it for notarization, wait (can be couple of minutes, but can be days, especially for the first run and JIT apps).
5. Done. Creating a "dmg" file would be a nice addition.

Hopefully I am not missing anything.

[KirillOsenkov]

OK I'll try to find time for this soon, thanks!

[KirillOsenkov]

LOL I heard Apple hates developers, this sure looks like a good start:

Apparently I need to enroll from the web?

[KirillOsenkov]

I am now on Step 6: Copy p12 certificate and provisioning profile to the git. Note: it might be a good idea to additionally encrypt p12 cert.

I have the .p12 file and it's protected with a password. Where do I put it now? How do I encrypt it? I assume I can't make this file public, right?

[jwosty]

@KirillOsenkov I think a GitHub action secret?

[KirillOsenkov]

OK, I created three Repository secrets under Actions. Where do I put the p12 file and how do I additionally encrypt it?

[jwosty]

https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development

[KirillOsenkov]

I used com.msbuildlog.viewer for the App ID

[maxkatz6]

Yeah, storing p12 file as a base64 secret should be good.

[KirillOsenkov]

OK, I made the following 4 secrets:

APPLE_ID_EMAIL
APPLE_ID_PASSWORD
P12_BASE64
P12_PASSWORD

[KirillOsenkov]

Some helpful info in the two issues I linked above ^^

[maxkatz6]

@KirillOsenkov started PR here #842

I also think TeamID might be necessary in the signing and notarizing. You can include that in the secrets too: https://developer.apple.com/help/account/manage-your-team/locate-your-team-id/

And to be safe, let's add certificate name to the secrets too.
In the PR, I used "Developer ID Application" for now, but full name would be safer, such as "Developer ID Application: KirillOsenkov (TeamID)" (you can find it in the keychain).

[KirillOsenkov]

OK I added the APPLE_TEAM_ID secret.

I'm not at my Mac right now, so I can't lookup the exact certificate name in the Keychain. On the web it says:

[KirillOsenkov]

I added APPLE_CERT_NAME with the value Developer ID Application: Kirill Osenkov (XXXXXXXXXX) where XXXXXXXXXX is the Team ID. Note the space between my first and last name. When I get to my Mac I'll double check and edit if necessary.

[maxkatz6]

@KirillOsenkov that should be enough, thanks. Now need to figure out how to access these secrets from appveyor.
Or did you add these to github secrets instead? I don't mind switching to GitHub CI, just need to know your preference here.

[KirillOsenkov]

Oh, I added them to GitHub Actions, I can add to AppVeyor too. Sorry it wasn't clear. Will have to be a bit later though.

[KirillOsenkov]

Oh, and to clarify, I'm fine with either AppVeyor or GitHub Actions for the Mac signing+notarization. I'd like to keep the existing logic in AppVeyor (because of the SignPath integration and I'm used to it), but for Mac we can do either, whatever works for you.

[maxkatz6]

@KirillOsenkov I don't have issues with AppVeyor. But you probably would need to push encrypted secrets into YAML file.
Either as https://ci.appveyor.com/tools/encrypt (variable) or https://www.appveyor.com/docs/how-to/secure-files/ (files).

[KirillOsenkov]

OK here you go:

environment:
  APPLE_ID_EMAIL:
    secure: RKmcmSlBIe+qymOfMJR9U9Q2axndE5FnQWJrHIm/ZJM=
  APPLE_ID_PASSWORD:
    secure: Xqa3m49/axGFkH9nr8zZRLgMbFzY3rUUsRCXRxPt4B8=
  P12_BASE64:
    secure: /hGeW9O9NZcjS2lTp85JwPeEIrABJ05BOa4VXp8HwYh0FOWuk8wjc4ahloCtBUWfa5QorE04xUvKtdpq9/RCQy9WIQnpHBGeFvoYGKF/4vEfqf3bU7epKwV2tFWqhKDNPGoG/pNL0pxBiabTxbom6zMzVIoLk6ZwDyYdD4+956896Ai/OdLWrrC4ga1HzuSZnu4fEW3iADnYkLtot3VGCkPZQvaswcGie510abmuy3mq/fdFxkCXoE6hD4Zqw1QArHL+1iH9R7mHChA88BDaKc12uacxmPRrwfb5aouq7xtqHAVZa/S330rULQ3QTKwHCpLfdUOJpOHIWK35Uj6zHmiU98pXUsgEVw79Qk0USHTz4B6undSadM7ajgM7h/6aWAbyuSu8O6upuBWfA1Ql7xVUyQDEd1ueTZhAMB8qDd0OME70b/vb8vKnNKkAHnQ819Hz1iYbzNMU5VK4JdI59yKf3ZEC1P42mRVCwlzKfhjrtvhB+gHUzvtwdcyFbf/4CDFp6kidoboCY/A7ffURm0rsKlZ1khsx6AGlbTpIOhZMqQw0zJ7oV0YnFFjbhV0sZRO+96lUB9JTBe9dnIGO8UjiSG1nAvB99k6ruz/IvUWWM1Oqp4zvi8MpNPrYeHRV2QUHjoCjLbNCdXsZU/FFpUcrmSKe1B6lFIhL2WiRlKRnZPcquOhP3a2fL7WU1gl95NUUpwzkgww8+BNuJMx+aaz3SHJE+n0ghToT7Kw+RfbB0TNSOQG+2lZThpPR3U1p+b2lYblT7dV3DU2ctUQWpUOsA7Fsng4eQbM0isTqsiQQSdC/iENR8we/xtvLVxUgObCyFQG33AaRRASJ5kW7nav3fidf+CkBlPppWvxRXur3dyEF+TKLO+HpUqf3kuBFNjZBIzS7FgKQTRf18hDAB+P3zIYI/VcO/+DZM2X6+BJryhq5JUD43TjlHDGQP/k6Tmwv2/naAdVUnXPlMsUeohTGxvD5S4rk/MYkvrLsTEXzQrwgk6epXEEgPL+LdtSiSv60VvL7mgO2nIC+sgIXyV1j/40qN2OqU5w/oDRBcEoilGtEXQXKBbUb1+ESyya9jhh9yxtI8cY2mqqKwe4l5WZOTIYS2idpcGjiteDSkqcJy7T5H00SPBqAo5NCBAeDSVcpUYH5gjg5AY/YMTZajqHoF2N5Lp4IYlgwRPSvlLxYNjkf+ysUK+zvd6HOppmxYZAV4uwsuDH+hpHXiNhGO3EIJ/ooGoK8KHVlm2anZq63kOx1XSud/lVfaY+be08ZHhJPIWsJ9UbkMZ2npRN4x2wbg2SPB+/bvUzMjWsqhr4UmacEoBD9EQa/PqRLUNuO6HSnX0iPeX75tH/5PRR2ybddnaoTXzgvhtGJ6XKYvJJa30AjirKXKhXe/JsjF1lIo8KttyxxjvFR5zXrhqN/Rh2ADQeXBwzGa7KvHkZxzSmuMrqsfcMpfLdIPbcSWei99NatAynrS9JaEifuuo5V8eHxvGqF9Ikm0Sp271Hhv72kBUMm406ffQF+a3AgtRQmOU52PgYQZx9x4gFbHtlOOwArBlHQNrOQ1Cz5sWTEtLSAwgPuJ5A+kpsfbewIEVETIeI1XgEqb++6ngPkIr+q6oHQKtbeqfKgFdwIgyTUpx6BGEYfIDb+cPeq3GDQdM8Eo67T7ZLQNReP92ad/8aaCuGuM4xyD8MiljGDm3Q0CtebCAIEC+lM6uxeUWdJTCPrffeCeeToR83rKQEc64twWm9IDFmrVUvsvvoqvY7kcyXg3ZJlIUK187rkCpvKPTwyyrf8PNe5qeAHTuAWZTjuIqphdqV+e+DDY+HRwv/XAhJDF5b4HT114ZbZzVx31a7T4CwQWEM+xgj7U9bNbdsgaQmqptUUg/vzkq2ynQjTtKwGm2Pk0tWhdRM1gEKOsGVtypdzHwyUMG5z03H3f/TZ9nIJDyyOo+8f32IvY7aJ1t5xIFXQ8NfWUTUU/UsR4ij5yXN1OxVLEC+X4Q5Ie5OWA4Jo/eROYl5nEy2zsQ2gHCJ/CZr1xKwfhcSk9JqTUZxZsaU9WBylFVMOXKsw1FsMTbWmg2aNtpAsS04W/zviY+XzTB3HXkjlFtoU498rZbrf9lBcPEhejOLNk1NUl8FWpc5WjBUWqgDz+JrnM4Phir8TlOk1+iG3Cnl9XxalPt1vVRqAa1Sh0Ycu+jf6MIlR4H9lPwsW26Cq7wil0mnwSzR5+auaa3A5IC7rz5Nih44iNitrTZW2DaWVNdp4GfthAIGqJvUlS5o5ez6sfA5JzLGdo04gXkCKDAPwCnR4MgWoSIe+/HkY8p0/atRvX+9TCxBG9h7jYPFSWRLjuy7Txc6iRXbkERgdr7dnACvDj5ZJRBtXLpHNJxP5vagYVO/vxNmqpLKNcjK6P+RoR3gaIU2uinNJ+tZl4WB3nkpdjdo/HxezRPsT7ep5Z2SWfUevC/TptHpaBr2k4sal2ILd51KkKX1b9vQsSL5sRPQE0Wk5jMOpsReoJDF/vWHo2iZQ6I+zmtphXSTqnkM1zglMrp6sl54Zcx1UGQiSxuHkeNlALz4GtbmXGiVNUuHvy9hSI8eVbT7+xb9BXC6PoLa37+sL5x+RGlHRQcgsMMb1cG1t3mGZN+0UfU8G1TaKlM2BKRE9EHVnI5wmb5cOwtvbXKSlwgk8WS5tblVb1Cj9B8zlydWTqDc8TpF9JqNKdUAeeTGq+AUZLie9uBr+4gswepwYgPELr/hiEkZdkdgdpp3u5ZpZSLceUVm54gx2zSPy5VnBs6hKrEbxjinM9f96KfzPUo/pG8Lyk2xKcPYaEOW78YfggI2beUmYUHtBqahgFhJmu9Ze2H8yhpJOzzpKql0qk9h0Z0f9s9kYNCEIVXn6Et8nVPngvrA3UNFldas8Jj+TIzs7WotXoSBqfGqb6td/Gghqx+pRwbf+/fGTBQCDbz0bEr8iRWSjFkFc43SAK5rMponyltdQn5EQEwJ+uqm/GSWXRD0dRZJCl1OyD7meOOR43Mifbhwgth7NpU3fWu6suLhM+TQea6tV4eTDWWWe1ypErR7cv2eIuS8r9dqWwLe3aNwG54D31DuOpWH58emALKxp4NsnA+t8euChNq/2ibcIhiGi8LrtME2Xt1HJFB1q/qnF4366E1gU6a56KVF2YYB3YxV07pX8hvs58XNWlIU9zjNA0Mt72EBl5jAmsHAYiWcDnMrmV7JLyTG7Br0/tJWZDPV65k1hHDIlGi9Xiax1rsNfv5gk+YTGaO9Twc3NmAJyFxtQVivfmp3i6hE66inpZaE7gqLMz/ZgW5oZRWOZjmlxnlCTIK8PDBhA337P3XB0hQXcMolyYzqxZm6T2LQRk13ZKUiNV5ck/tm0HwZueJYTWVvZxhAYQOCQqsf8cUfyG8rL3T7Fy9hiwNdfQj50ucMRO88yQHA2qTAFP0YEOtT3jRG4HNFXs1Awcac/+sECCHjKpA3JEl4RGUuDXAayk6MWBMUzIt3k3zMIjPQsgyifCbRYSrx7xf8SFak70ZH8X3z+6IfKMGITl/jY4T+syhTTQ3FmYxFMuT01KlVSBRPyITN95S6LC2r9m4YcO/4F6QR8fPqRQz9zmql52NgoYqLWu5IV5uP8n9gBnPQn+60tNUxub1uVTDLh6akZwEN95lXo3yzk/VyQ3WJLKLu9riQmxKXNcz5k/3uLmYOxw7oyTnR6/5/8KrIWHJpbQHMoFcqtiOg8bz5Dje8Ay3q663nT3zMCiTAkJ2XXWtfhutCjgnjlvsAtmHC7+KaljNDwlfECPbDRBqm6NzJBQSkwAspcJMU8/nV6DWBH5eLpoHzMVH8YEs9E2g32qEShdhOsowIwg1BJw+v5vmiLQ0nJPPqmmtcj78gMOoXoFSrBvoaTx50JDaVei1X9buUMhkhqrH1E+fQg7Syj4H+XyNWgATWFHAJAvzNCEi7U4eisbTNrrF83uk9ct2xVEA/7/wRqLv1I779YuDFh1FFtRZrtj1+KodpiKFiUxT8X9foZy9T9iICKze9PlN0UZjQWUnRBdn0HHGA1mOJAJbjMdx71ti0b5Qt9LJ5Yhnj/Bx2xzDRXpU0Y8JSQ4PmQZng1wECDa5wTuVf5UHs0gCa+YD6NVD2GeL661CmJfAj/HRga4gULgdouak2jcn3/XZm0t29Ua23GQWo62iIv4k4Vr2TwBmNdl9vqcKYpmv7YJjyefeLrWZ1UV1e/E7yZvkclq6UVbgttHpAYCv0ZZKbjfak2LHxBHp0z8lz/aUe4zlrS5BmR+7EAnJ//Wf4/PRprMf6umYVZpzrhxbwTdvCVYY+Mwd8nF10nyZoXVQ16buJlGwxY8M+t1BUgqSytfGdI24gbRPrnpTYbYGcoFb/lbDA0VdrDNNdg4hQL0ce1MECrAALXQ57MOf/ywSF+cFWjU5zM0YpQZgKB2OWrD764Jo/I/vi+Fel9wujMng98Xpr1F31jO3rv+q65impM4q/f8PmHit/J/TTsFbDqx0uywNwB893UaOYKV7sO+nC6n1yRCeHNLjhZFHED2fUWRBhacdA+zHwzbDoKflFvVcPMJAPJgfsKJ8wA9OrvWVcXCgTpC4gVZNEMfY5askq2N5ZVyPSxsCTn90lOdMKq1R70aycc9/wkJipYhyog4NGmd6VYaRIEsDIwVEyGBl+BfuDI8gezuFDMUu+WryGMlgtP4OmmKY3XqlkAZD6OlGePX+IEOf947OtyxIg5jXNXdLz/B7G2H/FI9Zw7Uqkes87YeX7s76NbQ39/I9NRhYQrUWtltG6AbM8LVrHLW4/rxGPwRbI5avTrCwWyhYotTH5n0iIF19DI1208YaQV46kZs9/Dmba8WGxjBY696Azgl5ixx05dt4hET05SdI+oiwMCbUd4+J/4qgw47dU28JjBLI1BOxTiw9cMpR2OkG/mazV/a+B1JdN9shcGVpuOt7iomu44k+AxLRreObJKqjQG2rH39lsg/uu3TQSv4fDJNas0vn9lcmVz6LyErPyJzEr1w37X5oXQyD316jebvF8U7mUOsOqmsRZs8s2GERxYKzdxEWzkkHkugz8VnV9lWvpeJGZq0K3l1wwC1rtZ0pviXNyWmdZEJcVOvsZcOJ+pcI4SOzJNT8kPIbnHtgQ1gImmkzITopLByR+DLFbU/vQekLXo5D4iVDWFVti7AA/8rPybPpwJzGyIlAAstnk804lQrL3DbWEw/+5ATJOSHc9DMRy/V+/gzW6uANZWYtJNRmFd9EgzDDn49WNyLsSjNoDj8UIpNZE3CgTr9L7Ndbt57aWRoYCJBucZytENIs8+bS8Tx+xxRZ6FgjsxxlQKY8xKvnSaAJ6bBjAxqS2JoE49vQ6AQ0MT82VuwXQVwCxmlNcU41fMj9YhyaoDTfcRwFeX832ehMKEwdQU7tJLiI5O186FdKgVMcM6cqP5QC22YJ0Ll5yutMFpaIml++KFdYXlcSG6p77gNuw4skYPvGc+MlpgtzrCqQx+raYVS97uMhp5Ogn7PilBkROz3Yku36m7OFr7muX8I8hN2kpCapy+JJPVHsGuGap284ulRdCRByUTL5z1Alk7zICs1FhI3XLMAgellQIZnIOBw3xgtRd6uTbPUFW2y71ncAwyb1yHAUlEXETR0tignKTahxYrz6Gk8CNEmSggHSSjegtnwH0A763SU6OT124MbBms/F6cjvtduhozh0YMx/1hJ2efv/3Kk+FXnveHgKV7trtZ0g5cw5JzPoFuLTS1aZzDeohjTPMamXymFpCiIoUs9RwdfjWPFmSwsWUhLqigE1LoM40=
  P12_PASSWORD:
    secure: g9nZcXsjCU8Ogsic6sO45hYJI1sMG/Psw4bes9yknMo=
  APPLE_TEAM_ID:
    secure: AnEDLgBUDM9+UAdcIOrMLQ==
  APPLE_CERT_NAME:
    secure: QWdxOY0xIK4XR50AYb77TKCmMd2k00iEBfrYYxzhwM+pDyvSjQXO6Oqg1epfe0KRpZNc+a9cGwCJ8qMyCEQxsA==