Staging pipeline should sign binaries in Mac archives #7076
Comments
|
I took a look at this to determine what should be done here. There are two potential places to put this code:
I believe signtool is the right long-term location for all signing and notarization. However, right now this still needs to work with 2.1, 3.1, and 5.0 and there are things to work out if we wanted to do that:
Based on this, it might be best to leave the mac signing in osx_pkg_operations.py for now, and augment it to unpack and deal with the tar.gz archives. It would be best if this was done by a person who has a mac though, as it's rather difficult to alter the code without being able to run it. /cc @richlander |
|
/cc @markwilkie |
|
Which epic do you think this belong in @mmitche ? |
|
[Async Triage] I got nothin' |
Probably its own? It bigger than a one off item, though not huge. |
|
[Async Triage] How urgent is this? What would happen if we didn't implement it soon? |
|
I think it's blocking some scenarios right now (Offinline install of Education Bundle) /cc @mavasani |
|
[Async Triage] if one or more user users can confirm blocked-ness, this is within scope of FR. (@mavasani ?) |
This makes me think it's probably not a great fit for FR. It seems like it might fit the urgency, but not the scope. |
|
I consider this issue "blocking". Obviously, it depends on what blocking truly means, but "unreasonable pain" doesn't really cover it. The lack of signing is blocking certain important scenarios. |
|
@mmitche - what's the cost here do you think? |
|
Here's what I wrote in another mail: I think the following needs to happen for this to be done completely:
I think #1 is < 1 week (rollout not included), #2 is a few days (it’s just adding a new archive type to handle), and #3 is probably ~2 weeks, maybe a little more. Conservatively, we should add on some time for unknowns there. The mac notarization script is the hardest part. It’s centered around pkg files right now. It also needs to be done by someone with access to a mac, since it only runs on a mac. I’d say it’s about a month of work, calendar time. All 3 aspects can be parallelized though. |
|
Temp workarounds: You might be able to manually deconstruct a signed pkg (or maybe just install the product?), pull out the files you need and replace them in the .tar.gz and .zip files. Seems possible to hack up at least. Definitely fraught though, as you would want to ensure that those altered archives get replaced everywhere. I don’t have a Mac to test this out (a Mac is required for all these signing operations), so this is largely off the top of my head. |
The problem is that you cannot. .NET 5 x64 and .NET 6 Arm64 cannot co-exist on an Apple Silicon machine, installed globally with our installers. That's why this is a blocking issue. I have to On the deconstruction idea, are the files within the pkg signed, or just the pkg? |
|
@richlander I meant to install it as a one-off on an isolated machine to extract the binaries, the update them elsewhere. I seems like there are multiple issues around the mac signing that are blocking different scenarios? The ones I've heard primarily about are:
|
|
[Async Triage]: Is it worth to create a mini epic for this? |
|
Yep I think so. |
|
[Async Triage]: Converted to epic per @mmitche, FYI @markwilkie. |
|
Moved remaining issue to future work, closing this epic. |
The mac .pkg files have signed binaries in them today (and the pkg files are notarized). But we stopped short of repacking the osx archives with those binaries. This should be resolved, for 3.1+
Epic completion check boxes:
Walk scenario:
Current status: This PR should address both of these, I am currently continuing to add to the readme to be stored in the eng folder adjacent to the signing scripts.
Run scenario: (pending feasibility)
The text was updated successfully, but these errors were encountered: