Replies: 5 comments 20 replies
-
I don't 100% trust that I'm notarizing the archive correctly. Everything says it works, but when I try verifying my zip it fails. The Apple docs on this aren't particularly clear on how to verify zip archives. codesign --verify --deep --strict --verbose=2 dist/macos_darwin_arm64/myapp
spctl --assess -vv dist/myapp_0.2.0_darwin_arm64.zip
TBh, shrug at this point. |
Beta Was this translation helpful? Give feedback.
-
The main reason I haven't tried to improve this yet is that I also don't have a macos developer account, and there are other things I want to improve first, but this is, in fact, in my todo list of things to take care of. I just can't promise any dates... FWIW, gon itself is released with goreleaser and notarized with gon, so maybe there's something to look into there. |
Beta Was this translation helpful? Give feedback.
-
I would love to hear if y'all find an answer for this. I've gotten as far as getting emails back from Apple after signing in a GitHub action but, in the end, it can never verify the sig when I download the artifact. After a few days of this I'm really at the end of my rope. |
Beta Was this translation helpful? Give feedback.
-
OK, I've got a test app just for this. I've got the notarization emails from Apple but the Gatekeeper still balks (see attachment for binary check) This is all done on a test app I have at https://github.com/ChrisWiegman/hiroy and will delete when I can get this working. Feel free to check the config, PR, etc. Note it's using GitHub Actions but I don't think that should matter. |
Beta Was this translation helpful? Give feedback.
-
BTW, new kid in town: https://github.com/anchore/quill |
Beta Was this translation helpful? Give feedback.
-
I was trying to use gon and goreleaser together and couldn't find decent example of how to make them play together especially with any name template usage. It's messy.
I think the crux of the issue is that gon and goreleaser have differing workflows. We have somewhat conflicting interests. For instance:
Etc.
The docs on either side (goreleaser's or gon's) are incomplete in how to wire up a complete solution (sign & notarize) or when they do, they gloss over the unsupported hard-coded naming behavior.
Here is an end-to-end example I was able to make work (required acquiring the Developer ID (for signing) and an Installer ID (for notarizing) cert as documented in hon). Having to generate the gon.hcl on the fly makes it pretty clunky. Ideally, I think instead of trying to shell-out to gon, gorealeaer integrates it as a library and triggers the requisite steps (sign binary after build, perform notarize after archive) correctly.
I'm sharing this in hopes that it might motivate creating a better workflow or integration.
Thank you!
complete goreleaser.yml config
For those that don't want to use gon to notarize, the notarize bits above could be replaced with:
notarize with notarytool
Note: notarytool will need a keychain profile pre-created to store the credentials. Run
xcrun notarytool store-credentials --apple-id "name@example.com" --team-id "DEADBEEF"
to generate profile, substituting the correct values for your Developer ID as needed.Regardless, a distribution then looks like:
run log
goreleaser release --rm-dist --skip-publish --skip-validate
References:
Beta Was this translation helpful? Give feedback.
All reactions