Commit a0221758 authored by Adrien's avatar Adrien

Update readme

parent f100499f
# bonita-codesign
Provide a REST endpoint used by our CI to sign MacOs and windows binaries with our EV Certificates
......@@ -67,3 +68,79 @@ You can skip the Xcode part if you have already generated valid certificates. If
* The first endpoint is used to sign the product: the .app must be sent in a zip file and will be returned in a zip file
* The second endpoint is used to build and sign the dmg: the .app of the installer must be sent in a zip file, and the dmg will be returned in a zip file
## Notarized Mac binaries
Since MacOs 10.14, mac binaries must be _notarized_, else they are considered as malicious, which is really bad for adoption.
Notarize a binary means send the binary to Apple and wait for their approval.
[You can find more detail here on the steps described bellow](
**⚠️ The notarization process has to be done for community and subscription installers**
* Retrieve dmg file. It contains the installer.
* Extract the .app inside the dmg (the installer)
* _Example: BonitaStudioCommunity-7.10.0.dmg_
* Create a zip from this .app
* _Example: BonitaStudioCommunity-7.10.0.zip_
* This zip has to be send to the Apple notarize service, using the following command line:
xcrun altool --notarize-app --primary-bundle-id "[FILE NAME]" --username "" --password "[PASSWORD]" --file [FILE PATH]
ℹ️ You can add `--verbose` at the end of the line if you need to investigate on an error ...
1. **primary-bundle-id** : According to the documentaton, the value _only needs to make sense to you_, and is used to _keep track of automated correspondence from the notarization service_ -> I don't really know what's the use of this but it's mandatory, so I suggest to use the name of the zip file send, which should refers to the binary notarized.
2. **username**: The Bonitasoft Apple developer username
3. **password**: ⚠️ This is **NOT** the password used to login on the Apple website with the username used (Yes ...).
* According to the documentation, _you must create an app-specific password for `altool`_ -> I created an application "Bonita Studio" with a specific password (which can be found on the R&D password page). You have to use the Apple username and this password.
* ⚠️ I don't know yet if we can use the same application for all the binaries. If not, then [new apps must be created]( (it is written that we can only have 25 apps, so I don't know how it is supposed to work, let see...). Else, remove this line
4. **file** The path to the zip archive you created.
Now you wait for a few minutes
You should see something like this:
altool[16765:378423] No errors uploading ''.
RequestUUID = 6e104d22-d43d-4fd8-ad42-c453816d01f1
-> It means that the binary has been correctly uploaded, and is being analysed before the be notarized.
You can enter the following command line just after the upload:
xcrun altool --notarization-info [RequestUUID] -u ""
⚠️ The application password is asked
You should get the following response:
No errors getting notarization info.
Date: 2019-11-28 13:44:21 +0000
Hash: 9b5d3dc9151cebc4959b60a7e04d6cd20c7e02fed977af79d4a98fd5392bb2b8
RequestUUID: 6e104d22-d43d-4fd8-ad42-c453816d01f1
Status: in progress
-> The binary is being analysed.
Try again after a few minutes, if it's fine you should get this:
No errors getting notarization info.
Date: 2019-11-28 13:44:21 +0000
Hash: 9b5d3dc9151cebc4959b60a7e04d6cd20c7e02fed977af79d4a98fd5392bb2b8
RequestUUID: 6e104d22-d43d-4fd8-ad42-c453816d01f1
Status: success
Status Code: 0
Status Message: Package Approved
-> The binary is now notarised, congrat's !
All user that are using / will use this binary won't have the error message _This software is malicious go to hell blabla_.
\ No newline at end of file
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment