Merge branch 'feature-pkg'

Author: pjkundert

.gitignore

@@ -20,9 +20,9 @@ build/
 MANIFEST
 dist/
 *.egg-info/
-*.svg
 .vagrant
 .pytest_cache/
 .cache/
 .eggs
 private_keys
+images/SLIP39.iconset

GNUmakefile

@@ -69,6 +69,7 @@ app-zip:		dist/SLIP39-$(VERSION).app.zip
 
 # Generate, Sign and Pacakage the macOS SLIP39.app GUI package for App Store
 app-pkg:		dist/SLIP39-$(VERSION).pkg
+app-pkg-signed:		dist/SLIP39-$(VERSION)-signed.pkg
 
 #
 # Build a deployable macOS App
@@ -78,23 +79,48 @@ app-upload:	dist/SLIP39-$(VERSION).app.zip
 	xcrun altool --validate-app -f $< -t osx --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290 \
 	&& xcrun altool --upload-app -f $< -t osx --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290 \
 
+# dist/SLIP39-$(VERSION).pkg: dist/SLIP39.app FORCE
+# 	pkgbuild --install-location /Applications --component $< $@
+
+#--identifier $(BUNDLEID)
+# codesign -vvvv -R="anchor apple" $</Contents/MacOS/Python \
+#     || codesign --deep --force --options=runtime --timestamp \
+# 	--entitlements ./SLIP39.metadata/entitlements.plist \
+# 	--sign "$(DEVID)" \
+# 	$< \
+# 	    && codesign -vvvv -R="anchor apple" $</Contents/MacOS/Python
+# codesign -vvvv -R="anchor apple" $</Contents/MacOS/Python
+
+# doesn't work...  code is not signed by an apple-anchored Dev. ID
 dist/SLIP39-$(VERSION).pkg: dist/SLIP39.app FORCE
-	grep -q "CFBundleVersion" "$</Contents/Info.plist" || sed -i "" -e 's:<dict>:<dict>\n\t<key>CFBundleVersion</key>\n\t<string>0.0.0</string>:' "$</Contents/Info.plist"
-	sed -i "" -e "s:0.0.0:$(VERSION):" "$</Contents/Info.plist"
-	codesign --deep --force --options=runtime --timestamp \
-	    --entitlements ./SLIP39.metatdata/entitlements.plist \
-	    --sign "$(DEVID)" \
-	    $<
-	codesign -dv -r- $<
-	codesign -vv $<
-	xcrun altool --validate-app -f $< -t osx --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290
-	pkgbuild --install-location /Applications --component $< $@
+	productbuild --sign "$(PKGID)" --timestamp \
+	    --identifier "$(BUNDLEID).pkg" \
+	    --version $(VERSION) \
+	    --component $< /Applications \
+	    $@
+	xcrun altool --validate-app -f $@ -t osx --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290
 
 dist/SLIP39-$(VERSION)-signed.pkg:  dist/SLIP39-$(VERSION).pkg
 	productsign --timestamp --sign "$(PKGID)" $< $@
 	spctl -vv --assess --type install $@
 
 
+dist/SLIP39-$(VERSION).notarization: dist/SLIP39-$(VERSION).pkg
+	xcrun altool --notarize-app -f $< \
+	    --team-id ZD8TVTCXDS \
+	    --primary-bundle-id ca.kundert.perry.SLIP39 \
+	    --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290 \
+	    --output-format json \
+		> $@
+
+dist/SLIP39-$(VERSION).status: FORCE # dist/SLIP39-$(VERSION).notarization
+	xcrun altool \
+	    --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290 \
+	    --notarization-info $$( jq -r '.["RequestUUID"]' < dist/SLIP39-$(VERSION).notarization ) \
+		| tee -a $@
+
+
+
 #(cd dist; zip -r SLIP39.app-$(VERSION).zip SLIP39.app)
 # Create a ZIP archive suitable for notarization.
 dist/SLIP39-$(VERSION).app.zip: dist/SLIP39.app FORCE
@@ -113,14 +139,18 @@ dist/SLIP39-$(VERSION).app.zip: dist/SLIP39.app FORCE
 	/usr/bin/ditto -c -k --keepParent "$<" "$@"
 	@ls -last dist
 
-# Rebuild the gui App; ensure we discard any partial/prior build and gui artifacts
-# The --onefile approach doesn't seem to work, as we need to sign things after packaging.
-# We need to customize the SLIP39.spec file (eg. for version), so we do not target SLIP39.py
-# 
-dist/SLIP39.app: SLIP39.spec
+# Rebuild the gui App; ensure we discard any partial/prior build and gui artifacts The --onefile
+# approach doesn't seem to work, as we need to sign things after packaging.  We need to customize
+# the SLIP39.spec file (eg. for version), so we do not target SLIP39.py (which would re-generate it
+# without our additions)
+#
+# Additional .spec file configurations:
+# - https://developer.apple.com/documentation/bundleresources/information_property_list/lsminimumsystemversion
+dist/SLIP39.app: SLIP39.spec images/SLIP39.icns
 	rm -rf build $@*
-	grep "version='$(VERSION)'" $< || sed -i "" -e "s/version='[0-9.]*'/version='$(VERSION)'/" $<
-	pyinstaller $<
+	sed -I "" -E "s/version=.*/version='$(VERSION)',/" $<
+	sed -I "" -E "s/'CFBundleVersion':.*/'CFBundleVersion':'$(VERSION)',/" $<
+	pyinstaller --noconfirm $<
 
 # Only used for initial creation of SLIP39.spec.  
 SLIP39.spec: SLIP39.py
@@ -131,6 +161,24 @@ SLIP39.spec: SLIP39.py
 	    --collect-data shamir_mnemonic \
 		$<
 
+# See: https://stackoverflow.com/questions/12306223/how-to-manually-create-icns-files-using-iconutil
+images/SLIP39.icns: images/SLIP39.iconset 
+	iconutil --convert icns -o $@ $<
+
+images/SLIP39.iconset: images/SLIP39.png
+	mkdir $@
+	sips -z   16   16 $< --out $@/icon_16x16.png
+	sips -z   32   32 $< --out $@/[email protected]
+	sips -z   32   32 $< --out $@/icon_32x32.png
+	sips -z   64   64 $< --out $@/[email protected]
+	sips -z  128  128 $< --out $@/icon_128x128.png
+	sips -z  256  256 $< --out $@/[email protected]
+	sips -z  256  256 $< --out $@/icon_256x256.png
+	sips -z  512  512 $< --out $@/[email protected]
+	sips -z  512  512 $< --out $@/icon_512x512.png
+	sips -z 1024 1024 $< --out $@/[email protected]
+
+
 # Support uploading a new version of slip32 to pypi.  Must:
 #   o advance __version__ number in slip32/version.py
 #   o log in to your pypi account (ie. for package maintainer only)

README.pdf

@@ -2,5 +2,7 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
   <dict>
+    <key>com.apple.security.app-sandbox</key>
+    <true/>
   </dict>
 </plist>

SLIP39.metadata/entitlements.plist

@@ -37,7 +37,7 @@ exe = EXE(pyz,
           disable_windowed_traceback=False,
           target_arch=None,
           codesign_identity='Developer ID Application: Perry Kundert (ZD8TVTCXDS)',
-          entitlements_file=None )
+          entitlements_file='SLIP39.metadata/entitlements.plist' )
 coll = COLLECT(exe,
                a.binaries,
                a.zipfiles,
@@ -50,5 +50,10 @@ app = BUNDLE(coll,
              name='SLIP39.app',
              icon='images/SLIP39.icns',
              bundle_identifier='ca.kundert.perry.SLIP39',
-             version='6.2.0',
-             )
+             version='6.4.0',
+             info_plist={
+                 'CFBundleVersion':'6.4.0',
+                 'LSApplicationCategoryType':'public.app-category.utilities',
+                 'LSMinimumSystemVersion':'10.15.0',
+             })
+

SLIP39.spec

@@ -22,21 +22,28 @@ nil
 #+BEGIN_ABSTRACT
 Creating Ethereum, Bitcoin and other accounts is complex and fraught with potential for loss of funds.
 
-All Crypto wallets start with a "Seed": a large, random number that is used to generate all of the
-actual Bitcoin, Ethereum, etc. wallets.
+All Crypto wallets start with a "Seed": a large, random number used to generate all of the actual
+Bitcoin, Ethereum, etc. wallets.  
 
 The best practice for using these wallets is to load this "Seed" into a secure hardware device, like
-a Trezor hardware wallet.
+a Trezor hardware wallet.  SLIP39 Mnemonic cards contain the recovery words, which are typed directly
+into the Trezor device to recover the Seed, and all of its accounts.
+
+The macOS SLIP39 app helps you generate Mnemonic cards and back up this seed, securely and reliably,
+by distributing Mnemonic cards for the seed to partners, family and friends.
+
+Later, if you (or your heirs!) need to recover the accounts, they can collect a sufficient threshold
+of the cards and regain access to the account.
 #+END_ABSTRACT
 #+TOC: headlines 2
 
 * Security with Availability
 
-  For both BIP-39 and SLIP-39, a 128-bit random "seed" is the source of an unlimited sequence of
-  Ethereum HD Wallet accounts.  Anyone who can obtain this seed gains control of all Ethereum,
+  For both BIP-39 and SLIP-39, a 128-bit or 256-bit random "Seed" is the source of an unlimited sequence of
+  Ethereum HD Wallet accounts.  Anyone who can obtain this Seed gains control of all Ethereum,
   Bitcoin (and other) accounts derived from it, so it must be securely stored.
 
-  Losing this seed means that all of the HD Wallet accounts are permanently lost.  Therefore, it
+  Losing this Seed means that all of the HD Wallet accounts are permanently lost.  Therefore, it
   must be backed up reliably, and be readily accessible.
 
   Therefore, we must:
@@ -45,3 +52,35 @@ a Trezor hardware wallet.
   - Store the seed in many places with several (some perhaps untrustworthy) people.
 
   How can we address these conflicting requirements?
+
+** SLIP-39 Mnemonic Recovery Cards
+
+   We don't recommend writing down one BIP-39 12-word or 24-word Mnemonic phrase, and hoping that
+   *you* can find it, but that nobody else *ever* finds it!
+
+   Instead, generate a number of SLIP-39 Mnemonic cards, which can be collected to recover the Seed:
+   #+CAPTION: SLIP39 Cards PDF
+   #+ATTR_LATEX: :width 5in
+   [[./images/slip39-pdf.png]]
+   
+
+* Affiliate Links
+
+  To assist you in obtaining various SLIP39 compatible components, we have established some
+  relationship with reliable vendors.
+
+** Trezor
+
+   The [[https://shop.trezor.io/product/trezor-model-t?offer_id=15&aff_id=10388][Trezor Model T hardware wallet]] has built-in SLIP39 generation and recovery capability.
+
+   #+BEGIN_EXPORT html
+   <a href="https://shop.trezor.io/product/trezor-model-t?offer_id=15&aff_id=10388&file_id=534" target="_blank"><img src="https://media.go2speed.org/brand/files/trezor/15/20210707060206-T1TT_banner_728x90_3.png" width="728" height="90" border="0" /></a><img src="http://trezor.go2cloud.org/aff_i?offer_id=15&file_id=534&aff_id=10388" width="0" height="0" style="position:absolute;visibility:hidden;" border="0" />
+   #+END_EXPORT
+
+   #+BEGIN_EXPORT html
+   <!-- Javascript Ad Tag: 1083 -->
+   <div id="trezor1083SycVfv"></div>
+   <script src="http://trezor.go2cloud.org/aff_ad?campaign_id=1083&aff_id=10388&format=js&divid=trezor1083SycVfv" type="text/javascript"></script>
+   <!-- // End Ad Tag -->
+   #+END_EXPORT
+