2021-11-19 12:05:45 +03:00
|
|
|
== Packaging for MacOS
|
2022-05-09 13:48:08 +03:00
|
|
|
Building the Helper locally will result in an adhoc-signed build, which works
|
|
|
|
|
for local development, but not for distribution. Before distributing it needs
|
|
|
|
|
to be re-signed. Build the Helper by running `build-helper.sh`, see the main
|
2021-11-19 12:05:45 +03:00
|
|
|
README for details.
|
|
|
|
|
|
|
|
|
|
To distribute the app you will need the Yubico MacOS signing key. The method of
|
|
|
|
|
signing differs depending on if the app should be distributed standalone
|
|
|
|
|
(outside the App Store) or via the App Store.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=== Standalone (Notarized)
|
|
|
|
|
To distribute the app outside of the App Store, we need to sign it and Notarize
|
|
|
|
|
it. For Notarization to work, we must enable "hardened runtime" by setting the
|
|
|
|
|
`--options runtime` when signing.
|
|
|
|
|
|
2022-05-09 13:48:08 +03:00
|
|
|
==== Signing the Yubico Authenticator Helper
|
2021-11-19 12:05:45 +03:00
|
|
|
The following commands can be done to re-sign the files using the Yubico
|
|
|
|
|
signing key:
|
|
|
|
|
|
2022-11-10 17:17:30 +03:00
|
|
|
# Sign the main binaries, with the entitlements:
|
|
|
|
|
codesign -f --timestamp --options runtime --entitlements helper.entitlements --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper/authenticator-helper
|
|
|
|
|
|
|
|
|
|
codesign -f --timestamp --options runtime --entitlements helper.entitlements --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper-arm64/authenticator-helper
|
2021-11-19 12:05:45 +03:00
|
|
|
|
|
|
|
|
# Sign the dylib and so files, without entitlements:
|
2022-11-10 17:17:30 +03:00
|
|
|
codesign -f --timestamp --options runtime --sign 'Application' $(find Yubico\ Authenticator.app/Contents/Resources/helper/ -name "*.dylib" -o -name "*.so")
|
|
|
|
|
|
|
|
|
|
codesign -f --timestamp --options runtime --sign 'Application' $(find Yubico\ Authenticator.app/Contents/Resources/helper-arm64/ -name "*.dylib" -o -name "*.so")
|
2021-11-19 12:05:45 +03:00
|
|
|
|
|
|
|
|
# Sign the Python binary (if it exists), without entitlements:
|
2022-11-10 17:17:30 +03:00
|
|
|
codesign -f --timestamp --options runtime --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper/Python
|
|
|
|
|
|
|
|
|
|
codesign -f --timestamp --options runtime --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper-arm64/Python
|
2021-11-19 12:05:45 +03:00
|
|
|
|
|
|
|
|
==== Signing the GUI
|
2022-05-09 13:48:08 +03:00
|
|
|
After signing the Helper, make a release build of the GUI and then re-sign it
|
|
|
|
|
with the Yubico key:
|
2021-11-19 12:05:45 +03:00
|
|
|
|
2022-11-10 17:17:30 +03:00
|
|
|
codesign --timestamp --options runtime --sign 'Application' --entitlements Release.entitlements --deep "Yubico Authenticator.app"
|
2021-11-19 12:05:45 +03:00
|
|
|
|
|
|
|
|
The app should now be properly signed, and needs to be Notarized. Create a zip file with the .app, and:
|
|
|
|
|
|
2022-04-13 15:22:06 +03:00
|
|
|
xcrun altool -t osx -f app.zip --primary-bundle-id com.yubico.authenticator --notarize-app -u $APPLE_ID -p $PASSWORD
|
2021-11-19 12:05:45 +03:00
|
|
|
|
|
|
|
|
This will return a $APP_GUID.
|
|
|
|
|
|
|
|
|
|
To check if notarization is complete:
|
|
|
|
|
|
|
|
|
|
xcrun altool --notarization-info $APP_GUID -u $APPLE_ID -p $PASSWORD
|
|
|
|
|
|
|
|
|
|
When the notarization is complete, and successful, the original .app bundle (not the .zip archive) needs to be stapled.
|
|
|
|
|
|
2022-11-10 17:17:30 +03:00
|
|
|
xcrun stapler staple -v "Yubico Authenticator.app"
|
2021-11-19 12:05:45 +03:00
|
|
|
|
2022-11-10 17:17:30 +03:00
|
|
|
Everything has now been signed and we can create a dmg.
|
2021-11-19 12:05:45 +03:00
|
|
|
|
2022-04-13 15:22:06 +03:00
|
|
|
==== Creating a dmg
|
2022-11-10 17:17:30 +03:00
|
|
|
Create a directory called `source_folder` and move the .app to it.
|
|
|
|
|
Install `create-dmg` by running `brew install create-dmg`.
|
|
|
|
|
Run the `create-dmg.sh` script.
|
2022-04-13 15:22:06 +03:00
|
|
|
|
2021-11-19 12:05:45 +03:00
|
|
|
=== Signing for the App Store
|
2022-05-09 13:48:08 +03:00
|
|
|
All binaries must have sandbox enabled for the Apple App Store, but the Helper
|
2021-11-19 12:05:45 +03:00
|
|
|
binary doesn't work when sandboxed AND hardened. Luckily, App Store binaries do
|
2022-05-09 13:48:08 +03:00
|
|
|
not need to be hardened. Thus, we need to sign the Helper executable with
|
2021-11-19 12:05:45 +03:00
|
|
|
sandbox enabled, but NOT as a hardened build. The App Store build also uses a
|
|
|
|
|
different code signing key than the standalone distribution.
|
|
|
|
|
|
2022-05-09 13:48:08 +03:00
|
|
|
==== Signing the Yubico Authenticator Helper
|
|
|
|
|
Follow the same steps as for "standalone", with the exception of signing the `authenticator-helper` binary:
|
2021-11-19 12:05:45 +03:00
|
|
|
|
2022-11-10 17:17:30 +03:00
|
|
|
# Sign the main binaries, with sandbox enabled, without hardened runtime:
|
|
|
|
|
codesign -f --timestamp --entitlements helper-sandbox.entitlements --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper/authenticator-helper
|
|
|
|
|
|
|
|
|
|
codesign -f --timestamp --entitlements helper-sandbox.entitlements --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper-arm64/authenticator-helper
|
2021-11-19 12:05:45 +03:00
|
|
|
|
2022-05-09 13:48:08 +03:00
|
|
|
NOTE: This sandboxed Helper will not run on its own, it has to be run as a
|
2021-11-19 12:05:45 +03:00
|
|
|
subprocess to the main application.
|
|
|
|
|
|
|
|
|
|
Once you have the signed .app, (no Notarization required) build the package for AppStore submission:
|
|
|
|
|
|
2022-11-10 17:17:30 +03:00
|
|
|
productbuild --sign 'Installer' --component "Yubico Authenticator.app" /Applications/ output-appstore.pkg
|
2021-11-19 12:05:45 +03:00
|
|
|
|
|
|
|
|
Use the Transporter app to upload the package to Apple.
|
