Skip to content

tools: add staple to macOS notarized binaries#50625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nodejs-github-bot merged 2 commits into from
Nov 11, 2023
Merged

tools: add staple to macOS notarized binaries #50625

nodejs-github-bot merged 2 commits into from
Nov 11, 2023

Conversation

@UlisesGascon
Copy link
Member

@UlisesGasconUlisesGascon commented Nov 8, 2023
edited
Loading

Main Changes

Added Staple for the notarized binaries in macOS.

cc: @nodejs/build @nodejs/releasers

Context

Gatekeeper will perform a check for a notarization ticket online. If it can't reach the server (due to no internet connection, for example), and if the ticket isn't stapled to the app, macOS will prevent the app from running because it can't verify that it is notarized.

You can find more information in this amazing article https://tonygo.ghost.io/notarization-for-macos-app-with-notarytool/ by @tony-go

Notes

I am working in a separate PR for the validation of the binaries

Test

This was tested in iojs+release-ulises-experimental pipeline in jenkins ci release.

Full log available here

14:27:03 sh tools/osx-notarize.sh v22.0.0-test202311086410f3bf0d 14:27:03 Notarization process is done with Notarytool. 14:27:03 Submitting node-v22.0.0-test202311086410f3bf0d.pkg for notarization... 14:27:03 Conducting pre-submission checks for node-v22.0.0-test202311086410f3bf0d.pkg and initiating connection to the Apple notary service... 14:27:05 Submission ID received 14:27:05 id: 28708d84-5489-4e4a-b1cc-fe1fa5d840d9 14:27:11 Successfully uploaded file 14:27:11 id: 28708d84-5489-4e4a-b1cc-fe1fa5d840d9 14:27:11 path: /Users/iojs/build/ws/node-v22.0.0-test202311086410f3bf0d.pkg 14:27:11 Waiting for processing to complete. 14:27:17 Current status: In Progress... Current status: In Progress.... Current status: In Progress..... Current status: In Progress...... Current status: In Progress....... Current status: In Progress........ Current status: In Progress......... Current status: In Progress.......... Current status: In Progress........... Current status: In Progress............ Current status: In Progress............. Current status: In Progress.............. Current status: Accepted...............Processing complete 14:28:57 id: 28708d84-5489-4e4a-b1cc-fe1fa5d840d9 14:28:57 status: Accepted 14:28:57 14:28:57 Notarization node-v22.0.0-test202311086410f3bf0d.pkg submitted successfully. 14:28:57 Processing: /Users/iojs/build/ws/node-v22.0.0-test202311086410f3bf0d.pkg 14:28:57 Processing: /Users/iojs/build/ws/node-v22.0.0-test202311086410f3bf0d.pkg 14:28:58 The staple and validate action worked! 14:28:58 Stapler was successful. [...redacted...] 14:29:10 Finished: SUCCESS

@nodejs-github-botnodejs-github-bot added macos Issues and PRs related to the macOS platform / OSX. tools Issues and PRs related to the tools directory. labels Nov 8, 2023
@UlisesGasconUlisesGascon marked this pull request as ready for review November 8, 2023 14:08
@UlisesGasconUlisesGascon added request-ci Add this label to start a Jenkins CI on a PR. lts-watch-v18.x lts-watch-v20.x PRs that may need to be released in v20.x labels Nov 8, 2023
@github-actionsgithub-actionsbot removed the request-ci Add this label to start a Jenkins CI on a PR. label Nov 8, 2023
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 8, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/55498/

tony-go
tony-go approved these changes Nov 8, 2023
View reviewed changes
Copy link
Member

@tony-gotony-go left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fantastic work, my dear @UlisesGascon 👏🏼 😍 and thanks for the mention.

This was referenced Nov 8, 2023
Closed
Closed
@lpincalpinca added commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. and removed commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. labels Nov 11, 2023
@nodejs-github-botnodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 11, 2023
@nodejs-github-botnodejs-github-bot merged commit ce6c9b0 into nodejs:mainNov 11, 2023
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 11, 2023

Landed in ce6c9b0

targos pushed a commit that referenced this pull request Nov 12, 2023
@UlisesGascon@targos
tools: add macOS notarization stapler
0907b56
PR-URL: #50625 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
@targostargos mentioned this pull request Nov 12, 2023
Merged
@UlisesGasconUlisesGascon mentioned this pull request Nov 12, 2023
Merged
targos pushed a commit that referenced this pull request Nov 14, 2023
@UlisesGascon@targos
tools: add macOS notarization stapler
5fcd67a
PR-URL: #50625 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
UlisesGascon added a commit that referenced this pull request Dec 11, 2023
@UlisesGascon
tools: add macOS notarization stapler
797f6a9
PR-URL: #50625 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
@UlisesGasconUlisesGascon mentioned this pull request Dec 12, 2023
Merged
richardlau pushed a commit that referenced this pull request Jan 16, 2024
@UlisesGascon@richardlau
tools: add macOS notarization stapler
03ff182
PR-URL: #50625 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
@richardlaurichardlau added backported-to-v18.x backported-to-v20.x PRs backported to the v20.x-staging branch. and removed lts-watch-v20.x PRs that may need to be released in v20.x labels Jan 16, 2024
RafaelGSS pushed a commit that referenced this pull request Feb 14, 2024
@marco-ippolito@RafaelGSS
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
2a5a150
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525 deps: * upgrade npm to 10.2.4 (npm team) #50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com//pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51614 http: * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520 lib: * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #49621 tools: * add macOS notarization verification step (Ulises Gascón) #50833 * use macOS keychain to notarize the releases (Ulises Gascón) #50715 * remove unused file (Ulises Gascon) #50622 * add macOS notarization stapler (Ulises Gascón) #50625 * improve macOS notarization process output readability (Ulises Gascón) #50389 * remove unused `version` function (Ulises Gascón) #50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) #50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542 PR-URL: nodejs-private/node-private#545
rdw-msft pushed a commit to rdw-msft/node that referenced this pull request Mar 20, 2024
@marco-ippolito@rdw-msft
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
d3b30e1
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715 * remove unused file (Ulises Gascon) nodejs#50622 * add macOS notarization stapler (Ulises Gascón) nodejs#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389 * remove unused `version` function (Ulises Gascón) nodejs#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
tools: add macOS notarization stapler
a5f41ac
PR-URL: nodejs/node#50625 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
1ddeb10
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs/node#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715 * remove unused file (Ulises Gascon) nodejs/node#50622 * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389 * remove unused `version` function (Ulises Gascón) nodejs/node#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
tools: add macOS notarization stapler
6fd30f7
PR-URL: nodejs/node#50625 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
d02cd45
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs/node#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715 * remove unused file (Ulises Gascon) nodejs/node#50622 * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389 * remove unused `version` function (Ulises Gascón) nodejs/node#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
aduh95 pushed a commit to aduh95/node that referenced this pull request Feb 18, 2025
@UlisesGascon@marco-ippolito
tools: add macOS notarization stapler
bd5f6fb
PR-URL: nodejs#50625 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
aduh95 pushed a commit to aduh95/node that referenced this pull request Feb 18, 2025
@marco-ippolito@RafaelGSS
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
6610cc4
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525 deps: * upgrade npm to 10.2.4 (npm team) nodejs#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614 http: * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520 lib: * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715 * remove unused file (Ulises Gascon) nodejs#50622 * add macOS notarization stapler (Ulises Gascón) nodejs#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389 * remove unused `version` function (Ulises Gascón) nodejs#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542 PR-URL: nodejs-private/node-private#545
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lpincalpincalpinca approved these changes

@richardlaurichardlaurichardlau approved these changes

+1 more reviewer

@tony-gotony-gotony-go approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backported-to-v20.xPRs backported to the v20.x-staging branch.commit-queue-squashAdd this label to instruct the Commit Queue to squash all the PR commits into the first one.macosIssues and PRs related to the macOS platform / OSX.toolsIssues and PRs related to the tools directory.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@UlisesGascon@nodejs-github-bot@lpinca@richardlau@tony-go