Commit a0221758 authored by Adrien's avatar Adrien

Update readme

parent f100499f
# bonita-codesign
Provide a REST endpoint used by our CI to sign MacOs and windows binaries with our EV Certificates
......@@ -67,3 +68,79 @@ You can skip the Xcode part if you have already generated valid certificates. If
* The first endpoint is used to sign the product: the .app must be sent in a zip file and will be returned in a zip file
* The second endpoint is used to build and sign the dmg: the .app of the installer must be sent in a zip file, and the dmg will be returned in a zip file
## Notarized Mac binaries
Since MacOs 10.14, mac binaries must be _notarized_, else they are considered as malicious, which is really bad for adoption.
Notarize a binary means send the binary to Apple and wait for their approval.
[You can find more detail here on the steps described bellow](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734)
**⚠️ The notarization process has to be done for community and subscription installers**
* Retrieve dmg file. It contains the installer.
* Extract the .app inside the dmg (the installer)
* _Example: BonitaStudioCommunity-7.10.0.dmg_
* Create a zip from this .app
* _Example: BonitaStudioCommunity-7.10.0.zip_
* This zip has to be send to the Apple notarize service, using the following command line:
```
xcrun altool --notarize-app --primary-bundle-id "[FILE NAME]" --username "apple.admin@bonitasoft.com" --password "[PASSWORD]" --file [FILE PATH]
```
ℹ️ You can add `--verbose` at the end of the line if you need to investigate on an error ...
1. **primary-bundle-id** : According to the documentaton, the value _only needs to make sense to you_, and is used to _keep track of automated correspondence from the notarization service_ -> I don't really know what's the use of this but it's mandatory, so I suggest to use the name of the zip file send, which should refers to the binary notarized.
2. **username**: The Bonitasoft Apple developer username
3. **password**: ⚠️ This is **NOT** the password used to login on the Apple website with the username used (Yes ...).
* According to the documentation, _you must create an app-specific password for `altool`_ -> I created an application "Bonita Studio" with a specific password (which can be found on the R&D password page). You have to use the Apple username and this password.
* ⚠️ I don't know yet if we can use the same application for all the binaries. If not, then [new apps must be created](https://support.apple.com/en-us/HT204397) (it is written that we can only have 25 apps, so I don't know how it is supposed to work, let see...). Else, remove this line
4. **file** The path to the zip archive you created.
Now you wait for a few minutes
....
You should see something like this:
```
altool[16765:378423] No errors uploading 'BonitaStudioCommunity-7.10.0.zip'.
RequestUUID = 6e104d22-d43d-4fd8-ad42-c453816d01f1
```
-> It means that the binary has been correctly uploaded, and is being analysed before the be notarized.
You can enter the following command line just after the upload:
```
xcrun altool --notarization-info [RequestUUID] -u "apple.admin@bonitasoft.com"
```
⚠️ The application password is asked
You should get the following response:
```
No errors getting notarization info.
Date: 2019-11-28 13:44:21 +0000
Hash: 9b5d3dc9151cebc4959b60a7e04d6cd20c7e02fed977af79d4a98fd5392bb2b8
RequestUUID: 6e104d22-d43d-4fd8-ad42-c453816d01f1
Status: in progress
```
-> The binary is being analysed.
Try again after a few minutes, if it's fine you should get this:
```
No errors getting notarization info.
Date: 2019-11-28 13:44:21 +0000
Hash: 9b5d3dc9151cebc4959b60a7e04d6cd20c7e02fed977af79d4a98fd5392bb2b8
LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma113/v4/ea/19/4f/ea194f0b-f157-d910-b3e6-14974a0dc0f8/developer_log.json?accessKey=1575143492_4436251163573211502_5B7eiGAH7PIfFsn2XbFPKSi9ag8AJzNEQyWNQhNEyuHgoxOMQgTuwflxudhkSCwlMMI48b1gRcCmlht79RVCeehbpY5l2SB0zcnFjtA3%2Fuq3sctO4N%2FREg89iFW8KOlb1XBbrpe5blgAr8gMYfv39u9CYoTvqK76eKefjFhrQ8Y%3D
RequestUUID: 6e104d22-d43d-4fd8-ad42-c453816d01f1
Status: success
Status Code: 0
Status Message: Package Approved
```
-> The binary is now notarised, congrat's !
All user that are using / will use this binary won't have the error message _This software is malicious go to hell blabla_.
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment