Den ons 10 juli 2019 kl 13:20 skrev Andy <asmalo...@gmail.com>: > > It sounds like not signing at all is still an option?
Yes, I guess not signing our builds (except releases), and asking testers to use Ctrl-click + "Open" instead of double-clicking, is what we'll do as a workaround, if it turns out there's no way for a user to launch a signed build without it being notarized. It's just a bit of awkward, I sort of liked how we had set up our CI so that every build is essentially built like it was a release (well, with the exception of this notarization, which we only do on tagged releases due to the time it takes). > > "Mac apps, installer packages, and kernel extensions that are signed with > Developer ID must also be notarized by Apple in order to run on macOS > Catalina." > > Apple has made this way too complicated to be useful IMHO. Yes, and it doesn't help that the notarization process is rather slow. Oh well, one only has to accept it. Elvis > > --- > Andy Maloney // https://asmaloney.com > twitter ~ @asmaloney > > > > On Wed, Jul 10, 2019 at 5:28 AM Elvis Stansvik <elvst...@gmail.com> wrote: >> >> Den tis 9 juli 2019 kl 19:57 skrev Adam Light <acli...@gmail.com>: >> > >> > >> > >> > On Fri, Jun 21, 2019 at 12:13 AM Kai Köhne <kai.koe...@qt.io> wrote: >> >> >> >> >> >> I understand that the "hardened runtime" enabling happens at codesign >> >> time, >> >> so this should arguably be a feature of macdeployqt. It's not there yet >> >> though, >> >> at least according to https://bugreports.qt.io/browse/QTBUG-71291 . If >> >> you're >> >> right that this will become mandatory for macOS 10.15, it arguably get a >> >> higher >> >> priority; feel free to comment, including a link to the source of this >> >> statement. >> >> >> >> For the time being, it seems you've to execute the codesign call yourself. >> >> >> > >> > Notarization is a requirement for macOS 10.15 (Catalina, currently in >> > beta). See https://developer.apple.com/news/?id=06032019i for an official >> > source of this requirement. In one of the WWDC 2019 talks about security >> > and code signing/notarization, they mentioned that this was true for >> > applications built (or maybe it's signed) after some date in early June. >> > For example, Qt 4.9.2, released June 26, 2019, will not run on Catalina >> > beta 3 without knowing how to work around the notarization requirement. >> >> With "work around" do you mean from the user POV (e.g. somehow >> disabling Gatekeeper, or Ctrl+Open, or something else) or from a >> developer POV (so, having to notarize)? >> >> I'd like to know if there is some reasonably simple way for users to >> get around the requirement. We will not be able to notarize every >> build we do, because of the time it takes. But at the same time we, >> and our testers, must be able to test random builds from Git (we build >> a .dmg for every commit) to try out in-progress features/bug fixes... >> So I really hope there will be some way for the user to get around the >> notarization requirement. >> >> Elvis >> >> > >> > Note also that notarization is separate from hardened runtime. An >> > application built with the 10.14 SDK or later must enable hardened runtime >> > in order for it to be possible to notarize the application, but it is >> > possible to notarize applications built with previous SDK versions for >> > which hardened runtime did not exist. >> > >> > See my comment at >> > https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111 >> > for some links that are particularly helpful in describing all of the >> > complexities involved in notarization and hardened runtime. >> > >> > Adam >> > _______________________________________________ >> > Interest mailing list >> > Interest@qt-project.org >> > https://lists.qt-project.org/listinfo/interest >> _______________________________________________ >> Interest mailing list >> Interest@qt-project.org >> https://lists.qt-project.org/listinfo/interest _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
