Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tools: add staple to macOS notarized binaries #50625

Merged
merged 2 commits into from
Nov 11, 2023

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Nov 8, 2023

Main Changes

Added Staple for the notarized binaries in macOS.

cc: @nodejs/build @nodejs/releasers

Context

Gatekeeper will perform a check for a notarization ticket online. If it can't reach the server (due to no internet connection, for example), and if the ticket isn't stapled to the app, macOS will prevent the app from running because it can't verify that it is notarized.

You can find more information in this amazing article https://tonygo.ghost.io/notarization-for-macos-app-with-notarytool/ by @tony-go

Notes

I am working in a separate PR for the validation of the binaries

Test

This was tested in iojs+release-ulises-experimental pipeline in jenkins ci release.

Full log available here

14:27:03 sh tools/osx-notarize.sh v22.0.0-test202311086410f3bf0d
14:27:03 Notarization process is done with Notarytool.
14:27:03 Submitting node-v22.0.0-test202311086410f3bf0d.pkg for notarization...
14:27:03 Conducting pre-submission checks for node-v22.0.0-test202311086410f3bf0d.pkg and initiating connection to the Apple notary service...
14:27:05 Submission ID received
14:27:05   id: 28708d84-5489-4e4a-b1cc-fe1fa5d840d9
14:27:11 Successfully uploaded file
14:27:11   id: 28708d84-5489-4e4a-b1cc-fe1fa5d840d9
14:27:11   path: /Users/iojs/build/ws/node-v22.0.0-test202311086410f3bf0d.pkg
14:27:11 Waiting for processing to complete.
14:27:17 
Current status: In Progress...
Current status: In Progress....
Current status: In Progress.....
Current status: In Progress......
Current status: In Progress.......
Current status: In Progress........
Current status: In Progress.........
Current status: In Progress..........
Current status: In Progress...........
Current status: In Progress............
Current status: In Progress.............
Current status: In Progress..............
Current status: Accepted...............Processing complete
14:28:57   id: 28708d84-5489-4e4a-b1cc-fe1fa5d840d9
14:28:57   status: Accepted
14:28:57 
14:28:57 Notarization node-v22.0.0-test202311086410f3bf0d.pkg submitted successfully.
14:28:57 Processing: /Users/iojs/build/ws/node-v22.0.0-test202311086410f3bf0d.pkg
14:28:57 Processing: /Users/iojs/build/ws/node-v22.0.0-test202311086410f3bf0d.pkg
14:28:58 The staple and validate action worked!
14:28:58 Stapler was successful.
[...redacted...]
14:29:10 Finished: SUCCESS

@nodejs-github-bot nodejs-github-bot added macos Issues and PRs related to the macOS platform / OSX. tools Issues and PRs related to the tools directory. labels Nov 8, 2023
@UlisesGascon UlisesGascon marked this pull request as ready for review November 8, 2023 14:08
@UlisesGascon UlisesGascon added request-ci Add this label to start a Jenkins CI on a PR. lts-watch-v18.x PRs that may need to be released in v18.x. lts-watch-v20.x PRs that may need to be released in v20.x labels Nov 8, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Nov 8, 2023
@nodejs-github-bot
Copy link
Collaborator

Copy link
Member

@tony-go tony-go left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fantastic work, my dear @UlisesGascon 👏🏼 😍 and thanks for the mention.

tools/osx-notarize.sh Show resolved Hide resolved
@lpinca lpinca added commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. and removed commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. labels Nov 11, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 11, 2023
@nodejs-github-bot nodejs-github-bot merged commit ce6c9b0 into nodejs:main Nov 11, 2023
86 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in ce6c9b0

targos pushed a commit that referenced this pull request Nov 12, 2023
PR-URL: #50625
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
targos pushed a commit that referenced this pull request Nov 14, 2023
PR-URL: #50625
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
UlisesGascon added a commit that referenced this pull request Dec 11, 2023
PR-URL: #50625
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
@UlisesGascon UlisesGascon mentioned this pull request Dec 12, 2023
richardlau pushed a commit that referenced this pull request Jan 16, 2024
PR-URL: #50625
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
@richardlau richardlau removed the lts-watch-v18.x PRs that may need to be released in v18.x. label Jan 16, 2024
@richardlau richardlau added backported-to-v18.x PRs backported to the v18.x-staging branch. backported-to-v20.x PRs backported to the v20.x-staging branch. and removed lts-watch-v20.x PRs that may need to be released in v20.x labels Jan 16, 2024
RafaelGSS pushed a commit that referenced this pull request Feb 14, 2024
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
deps:
  * upgrade npm to 10.2.4 (npm team) #50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com//pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51614
http:
  * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520
lib:
  * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #49621
tools:
  * add macOS notarization verification step (Ulises Gascón) #50833
  * use macOS keychain to notarize the releases (Ulises Gascón) #50715
  * remove unused file (Ulises Gascon) #50622
  * add macOS notarization stapler (Ulises Gascón) #50625
  * improve macOS notarization process output readability (Ulises Gascón) #50389
  * remove unused `version` function (Ulises Gascón) #50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) #50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542

PR-URL: nodejs-private/node-private#545
rdw-msft pushed a commit to rdw-msft/node that referenced this pull request Mar 20, 2024
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
  * upgrade npm to 10.2.4 (npm team) nodejs#50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614
http:
  * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520
lib:
  * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621
tools:
  * add macOS notarization verification step (Ulises Gascón) nodejs#50833
  * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715
  * remove unused file (Ulises Gascon) nodejs#50622
  * add macOS notarization stapler (Ulises Gascón) nodejs#50625
  * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389
  * remove unused `version` function (Ulises Gascón) nodejs#50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542

PR-URL: https://github.com/nodejs-private/node-private/pull/545
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
PR-URL: nodejs/node#50625
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
  * upgrade npm to 10.2.4 (npm team) nodejs/node#50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614
http:
  * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520
lib:
  * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621
tools:
  * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833
  * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715
  * remove unused file (Ulises Gascon) nodejs/node#50622
  * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625
  * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389
  * remove unused `version` function (Ulises Gascón) nodejs/node#50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542

PR-URL: https://github.com/nodejs-private/node-private/pull/545
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
PR-URL: nodejs/node#50625
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
  * upgrade npm to 10.2.4 (npm team) nodejs/node#50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614
http:
  * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520
lib:
  * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621
tools:
  * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833
  * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715
  * remove unused file (Ulises Gascon) nodejs/node#50622
  * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625
  * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389
  * remove unused `version` function (Ulises Gascón) nodejs/node#50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542

PR-URL: https://github.com/nodejs-private/node-private/pull/545
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backported-to-v18.x PRs backported to the v18.x-staging branch. backported-to-v20.x PRs backported to the v20.x-staging branch. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. macos Issues and PRs related to the macOS platform / OSX. tools Issues and PRs related to the tools directory.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants