Add signing and notarisation to PKG installers #1856
Conversation
|
I'll have to wait for my Apple developer account to reactivate before I can test this – I paid today, but it apparently takes 24-48 hours to take effect. |
|
Signing works fine, but notarization has now been "in progress" for over an hour. This probably isn't Briefcase's fault, but I'll leave it overnight and see what happens. |
|
Yeah - notarisation is known to be a bit flaky. Not sure what we can do to make it less flaky though; we're entirely dependent on Apple's servers returning a response. |
|
My first notarization attempt was still "in progress" after 10 hours. I interrupted it and tried again, and it succeeded after an additional 4 hours and 25 minutes. I've only ever notarized something once before (this DMG). I don't remember how long it took, but it wasn't this long. If this happens to other people then it might be worth printing a prominent warning. But it doesn't look as if many people are using the macOS packaging feature yet, so let's wait until we get some more feedback. |
Unsigned macOS Installers are a bit difficult to use, as the OS "unknown developer" handling prevents installation.
This PR adds signing and notarisation options to
.pkgbuilds.This signing requires a different signing identity - you need a "Development ID Installer" identity, rather than a "Development ID Application". To facilitate this, a
--installer-identityoption has been added (plus a--no-sign-installeroption to avoid signing entirely).Identity selection is a little complicated, because macOS doesn't appear to give a way to just list the installer certificates; so - this implementation lists all non-app certificates from the same Team ID as the application certificate.
PR Checklist: