Modify

Opened 10 months ago

Closed 7 months ago

Last modified 7 months ago

#23125 closed defect (fixed)

macOS notarization requires new contracts to be signed

Reported by: taylor.smock Owned by: team
Priority: normal Milestone: 23.11
Component: Installer MacOS Version:
Keywords: macosx Cc: Don-vip, stoecker

Description

It looks like notarization failed on the last tested release ( https://github.com/JOSM/josm/actions/runs/5717310655/job/15518876822 ).

Preparing for notarization
Uploading to Apple
2023-08-01 13:10:12.013 *** Error: Notarization failed for 'app/JOSM.zip'.
2023-08-01 13:10:12.014 *** Error: You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id 58628c01-198e-4c80-8a97-35ee758c7208 You do not have required contracts to perform an operation (-19208)
 {
    NSLocalizedDescription = "You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id 58628c01-198e-4c80-8a97-35ee758c7208";
    NSLocalizedFailureReason = "You do not have required contracts to perform an operation";
}
2023-08-01 13:10:12.014 *** Warning: altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software. (-1030)

It also looks like I need to fiddle with notarytool to figure out what flags need to be sent as well, but that is something I can do.

Attachments (0)

Change History (12)

comment:1 by Don-vip, 10 months ago

What is the contract we use with Apple? I just tried to login with FOSSGIS account but there's 2FA. Somebody received a notification on his phone, is that you Dirk? Or Thomas?

comment:2 by stoecker, 10 months ago

I'm not involved in the Apple account.

comment:3 by taylor.smock, 10 months ago

In 18809/josm:

See #23125: Prefer notarytool if it is available; fall back to altool if it is not

The altool notarization process will stop working in the next few months, so we
need to switch to notarytool.

For now, we will try to use notarytool, and if I messed up the command line,
it should fall back to altool.

comment:4 by taylor.smock, 10 months ago

The Apple notarization process seems like it is a headache. I know Stereo was involved (#14117). Would he have the account details?

comment:5 by Don-vip, 10 months ago

It seems we use Thomas account at FOSSGIS:
https://josm.openstreetmap.de/browser/josm/trunk/native/macosx/macos-jpackage.sh?annotate=blame#L14

We should either contact him to remove 2FA from his account, or ask FOSSGIS to create a new account with appropriate contract for us.

comment:6 by taylor.smock, 7 months ago

@stoecker: Can you add P8AAAGN2AM to the GitHub secrets? It is the --team-id parameter for notarytool, and I'd like to avoid hard-coding it into the workflow. We currently have APPLE_ID and APPLE_ID_PW, so APPLE_ID_TEAM is probably a "good" name. Just let me know what it is so I can use the correct variable in source:trunk/native/macosx/macos-jpackage.sh#L97 .

comment:7 by stoecker, 7 months ago

Added as requested.

comment:8 by taylor.smock, 7 months ago

Thank you.

comment:9 by taylor.smock, 7 months ago

Resolution: fixed
Status: newclosed

In 18878/josm:

Fix #23125: Update macos notarization

comment:10 by taylor.smock, 7 months ago

Milestone: 23.10

comment:11 by taylor.smock, 7 months ago

In 18879/josm:

See #23125: Add secret to GH action environment

comment:12 by taylor.smock, 7 months ago

Milestone: 23.1023.11

Ticket retargeted after milestone deleted

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.