Continuing work toward zip/dmg/pkg packaging

pjkundert · pjkundert · commit 5422591afbd9 · 2022-02-10T15:49:17.000-07:00
diff --git a/GNUmakefile b/GNUmakefile
@@ -3,11 +3,17 @@
 # 
 
 # Change to your own Apple Developer ID, if you want to code-sign the resultant .app
+
+
 APPLEID		?= perry@kundert.ca
 TEAMID		?= ZD8TVTCXDS
+# The unique App ID assigned by App Store Connect, under App Information (NOT your Apple ID!!)
+APPID		?= 1608360813
 #DEVID		?= 3rd Party Mac Developer Application: Perry Kundert ($(TEAMID))
 DEVID		?= Developer ID Application: Perry Kundert ($(TEAMID))
 PKGID		?= 3rd Party Mac Developer Installer: Perry Kundert ($(TEAMID))
+#PKGID		?= Developer ID Installer: Perry Kundert ($(TEAMID))
+DSTID		?= Apple Distribution: Perry Kundert ($(TEAMID))
 BUNDLEID	?= ca.kundert.perry.SLIP39
 APIISSUER	?= 5f3b4519-83ae-4e01-8d31-f7db26f68290
 APIKEY		?= 5H98J7LKPC
@@ -65,19 +71,23 @@ dist/slip39-$(VERSION)-py3-none-any.whl: build-check FORCE
 install:		dist/slip39-$(VERSION)-py3-none-any.whl FORCE
 	$(PY3) -m pip install --force-reinstall $<[gui,serial,json]
 
-# Building a macOS App
-
-
+# Building / Upload a macOS App
 app:			dist/SLIP39.app
-
-app-upload:		dist/SLIP39-$(VERSION).dmg.uploaded
-
+app-upload:		app-pkg-upload
 
 # Generate, Sign and Package the macOS SLIP39.app GUI for App Store or local/manual installation
+# o Try all the approaches of packaging a macOS App for App Store upload
 app-dmg:		dist/SLIP39-$(VERSION).dmg
 app-zip:		dist/SLIP39-$(VERSION).zip
 app-pkg:		dist/SLIP39-$(VERSION).pkg
 
+app-dmg-valid:		dist/SLIP39-$(VERSION).dmg.valid
+app-zip-valid:		dist/SLIP39-$(VERSION).zip.valid
+app-pkg-valid:		dist/SLIP39-$(VERSION).pkg.valid
+
+app-dmg-upload:		dist/SLIP39-$(VERSION).dmg.upload-package
+app-zip-upload:		dist/SLIP39-$(VERSION).zip.upload-package
+app-pkg-upload:		dist/SLIP39-$(VERSION).pkg.upload-package
 
 # 
 # Build the macOS App, and create and sign the .dmg file
@@ -93,7 +103,21 @@ dist/SLIP39-$(VERSION).dmg:	dist/SLIP39.app
 	mv "SLIP39 $(VERSION).dmg" "$@"
 	@echo "Checking signature..."; ./SLIP39.metadata/check-signature $@
 
-# Upload the .dmg, unless we've already uploaded it and have a RequestUUID
+.PHONY: dist/SLIP39-$(VERSION).dmg-verify
+dist/SLIP39-$(VERSION).dmg-verify: dist/SLIP39-$(VERSION).dmg
+	@echo "\n\n*** Verifying signing of $<..."
+	#codesign --verify -v $< \
+	#    || ( echo "!!! Unable to verify codesign: "; codesign --verify -vv $<; false )
+	spctl --assess --type install --context context:primary-signature -vvv $< || \
+	spctl --assess --type execute --context context:primary-signature -vvv $< || \
+	spctl --assess --type open    --context context:primary-signature -vvv $< || \
+	spctl --assess --type install  -vvv $< || \
+	spctl --assess --type execute  -vvv $< || \
+	spctl --assess --type open     -vvv $<
+
+
+
+# Notarize the .dmg, unless we've already uploaded it and have a RequestUUID
 dist/SLIP39-$(VERSION).dmg.notarization: dist/SLIP39-$(VERSION).dmg
 	jq -r '.["notarization-upload"]["RequestUUID"]' $@ 2>/dev/null \
 	|| xcrun altool --notarize-app -f $< \
@@ -107,14 +131,14 @@ dist/SLIP39-$(VERSION).dmg.notarization: dist/SLIP39-$(VERSION).dmg
 dist/SLIP39-$(VERSION).dmg.notarization-status: dist/SLIP39-$(VERSION).dmg.notarization FORCE
 	[ -s $@ ] && grep "Status: success" $@ \
 	    || xcrun altool \
-		--apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
-		--notarization-info $$( jq -r '.["notarization-upload"]["RequestUUID"]' $< ) \
-		    | tee -a $@
+		    --apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
+		    --notarization-info $$( jq -r '.["notarization-upload"]["RequestUUID"]' $< ) \
+		        | tee -a $@
 
-# Check notarization status 'til Status: success, then staple it to ...dmg, and create ...dmg.final marker file
+# Check notarization status 'til Status: success, then staple it to ...dmg, and create ...dmg.valid marker file
 dist/SLIP39-$(VERSION).dmg.valid: dist/SLIP39-$(VERSION).dmg.notarization-status FORCE
-	grep "Status: success" $< || \
-	    ( tail -10 $<; echo "\n\n!!! App not yet notarized; cannot produce $@"; false )
+	@grep "Status: success" $< || \
+	    ( tail -10 $<; echo "\n\n!!! App not yet notarized; try again in a few seconds..."; false )
 	( [ -r $@ ] ) \
 	    && ( echo "\n\n*** Notarization complete; refreshing $@" && touch $@ ) \
 	    || ( \
@@ -124,8 +148,11 @@ dist/SLIP39-$(VERSION).dmg.valid: dist/SLIP39-$(VERSION).dmg.notarization-status
 		touch $@ \
 	    )
 
-# macOS ...dmg App Upload: Unless the ...dmg.upload file exists and is non-empty
-dist/SLIP39-$(VERSION).dmg.uploaded: dist/SLIP39-$(VERSION).dmg dist/SLIP39-$(VERSION).dmg.valid FORCE
+# macOS ...dmg App Upload: Unless the ...dmg.upload file exists and is non-empty.
+# o Try either upload-package and upload-app approach
+# o NOTE that --apple-id is NOT your "Apple ID", it is the unique App ID
+# See: https://github.com/fastlane/fastlane/issues/14783
+dist/SLIP39-$(VERSION).dmg.upload-package: dist/SLIP39-$(VERSION).dmg dist/SLIP39-$(VERSION).dmg.valid FORCE
 	[ -s $@ ] || ( \
 	    echo "\n\n*** Uploading the signed DMG file: $<..." && \
 	    echo "*** Verifying notarization stapling..." && xcrun stapler validate $< && \
@@ -134,7 +161,20 @@ dist/SLIP39-$(VERSION).dmg.uploaded: dist/SLIP39-$(VERSION).dmg dist/SLIP39-$(VE
 	    xcrun altool --upload-package $< \
 		--type macos \
 		--bundle-id $(BUNDLEID) --bundle-version $(VERSION) --bundle-short-version-string $(VERSION) \
-		--apple-id $(APPLEID) --team $(TEAMID) \
+		--apple-id $(APPID) --team $(TEAMID) \
+		--apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
+		    | tee -a $@ \
+	)
+
+dist/SLIP39-$(VERSION).dmg.upload-app: dist/SLIP39-$(VERSION).dmg dist/SLIP39-$(VERSION).dmg.valid FORCE
+	[ -s $@ ] || ( \
+	    echo "\n\n*** Uploading the signed DMG file: $<..." && \
+	    echo "*** Verifying notarization stapling..." && xcrun stapler validate $< && \
+	    echo "*** Checking signature..." && ./SLIP39.metadata/check-signature $< && \
+	    echo "*** Upload starting for $<..." && \
+	    xcrun altool --upload-app -f $< \
+		--type macos \
+		--primary-bundle-id $(BUNDLEID) \
 		--apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
 		    | tee -a $@ \
 	)
@@ -145,57 +185,42 @@ dist/SLIP39-$(VERSION).dmg.uploaded: dist/SLIP39-$(VERSION).dmg dist/SLIP39-$(VE
 #   - Nope: "...An installer signing identity (not an application signing identity) is required for signing flat-style products."
 # See: https://lessons.livecode.com/m/4071/l/876834-signing-and-uploading-apps-to-the-mac-app-store
 # o Need ... --product <path-to-app-bundle-Info.plist>
+# According to this article, a "Developer ID Installer:..." signing key is required:
+# See: https://forums.ivanti.com/s/article/Obtaining-an-Apple-Developer-ID-Certificate-for-macOS-Provisioning?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1
 # 
-dist/SLIP39-$(VERSION).pkg:	dist/SLIP39.app		\
-				dist/SLIP39.app-signed
+dist/SLIP39-$(VERSION).pkg:	dist/SLIP39.app
 	productbuild --sign "$(PKGID)" --timestamp \
 	    --identifier "$(BUNDLEID).pkg" \
 	    --version $(VERSION) \
 	    --component $< /Applications \
 	    $@
-	xcrun altool --validate-app -f $@ -t osx --apiKey $(APIKEY) --apiIssuer $(APIISSUER)
 
-dist/SLIP39.pkg:		dist/SLIP39.app # dist/SLIP39.app-signed
-	@echo "Checking signature..."; ./SLIP39.metadata/check-signature $<
-	productbuild --sign "$(PKGID)" --timestamp \
-	    --identifier "$(BUNDLEID).pkg" \
-	    --version $(VERSION) \
-	    --component $< /Applications \
-	    $@
-	xcrun altool --validate-app -f $@ -t osx --apiKey $(APIKEY) --apiIssuer $(APIISSUER)
 
-.PHONY: dist/SLIP39.pkg-verify
-dist/SLIP39.pkg-verify: dist/SLIP39.pkg
+# Confirm that the .pkg is signed w/ the correct certificates.
+# See: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues
+# Not these:
+# spctl --assess --type install --context context:primary-signature -vvv $< || \
+# spctl --assess --type execute --context context:primary-signature -vvv $< || \
+# spctl --assess --type open    --context context:primary-signature -vvv $< || \
+# spctl --assess --type install  -vvv $< || \
+# spctl --assess --type execute  -vvv $< || \
+# spctl --assess --type open     -vvv $< || true
+
+# Wrong:
+# o The developer.apple.com/documentation is wrong; it is directly in conflict with the error
+#   messages returned, demanding the 3rd Party Installer signing key
+
+.PHONY: dist/SLIP39-$(VERSION).pkg-verify
+dist/SLIP39-$(VERSION).pkg-verify: dist/SLIP39-$(VERSION).pkg
 	@echo "\n\n*** Verifying signing of $<..."
-	#codesign --verify -v $< \
-	#    || ( echo "!!! Unable to verify codesign: "; codesign --verify -vv $<; false )
-	spctl --assess --type install --context context:primary-signature -vvv $< || \
-	spctl --assess --type execute --context context:primary-signature -vvv $< || \
-	spctl --assess --type open    --context context:primary-signature -vvv $< || \
-	spctl --assess --type install  -vvv $< || \
-	spctl --assess --type execute  -vvv $< || \
-	spctl --assess --type open     -vvv $<
-
-
-# 
-# Sign the pkg with the Installer ID, if not already done.
-#  
-# o doesn't work -- notarization complains:  "The binary is not signed with a valid Developer ID certificate."
-# 
-dist/SLIP39-signed.pkg:  dist/SLIP39.pkg FORCE
-	@echo "\n\n*** Signing $<..."
-	productsign --timestamp --sign "$(PKGID)" $< $@
-
+	pkgutil --check-signature $< | grep "Signed with a trusted timestamp"
+	#pkgutil --check-signature $< | grep "1. Developer ID Installer:"
 
 #
 # macOS Package Notarization
-# See: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues
 # See: https://oozou.com/blog/scripting-notarization-for-macos-app-distribution-38
 # o The .pkg version doesn't work due to incorrect signing keys for the .pkg (unknown reason)
-# o The .zip version works, but the notarization cannot be stapled to the zip;
-#   - We have to receive notification that the SLIP39.zip.notarization-status Status: success
-#   - Then, re-package the zip and 
-dist/SLIP39.pkg.notarization: dist/SLIP39.pkg
+dist/SLIP39-$(VERSION).pkg.notarization: dist/SLIP39-$(VERSION).pkg dist/SLIP39-$(VERSION).pkg-verify
 	jq -r '.["notarization-upload"]["RequestUUID"]' $@ 2>/dev/null \
 	|| xcrun altool --notarize-app -f $< \
 	    --primary-bundle-id $(BUNDLEID) \
@@ -204,13 +229,63 @@ dist/SLIP39.pkg.notarization: dist/SLIP39.pkg
 	    --output-format json \
 		> $@
 
-dist/SLIP39.pkg.notarization-status:  dist/SLIP39.pkg.notarization FORCE
-	xcrun altool \
-	    --apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
-	    --notarization-info $$( jq -r '.["notarization-upload"]["RequestUUID"]' $< ) \
-		| tee -a $@
+dist/SLIP39-$(VERSION).pkg.notarization-status: dist/SLIP39-$(VERSION).pkg.notarization FORCE
+	[ -s $@ ] && grep "Status: success" $@ \
+	    || xcrun altool \
+		--apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
+		--notarization-info $$( jq -r '.["notarization-upload"]["RequestUUID"]' $< ) \
+		    | tee -a $@
+
+# Check notarization status 'til Status: success, then staple it to ...pkg, and create ...pkg.valid marker file
+dist/SLIP39-$(VERSION).pkg.valid: dist/SLIP39-$(VERSION).pkg.notarization-status FORCE
+	@grep "Status: success" $< || \
+	    ( tail -10 $<; echo "\n\n!!! App not yet notarized; try again in a few seconds..."; false )
+	( [ -r $@ ] ) \
+	    && ( echo "\n\n*** Notarization complete; refreshing $@" && touch $@ ) \
+	    || ( \
+		xcrun stapler staple   dist/SLIP39-$(VERSION).pkg && \
+		xcrun stapler validate dist/SLIP39-$(VERSION).pkg && \
+	        echo "\n\n*** Notarization attached to $@" && \
+		touch $@ \
+	    )
+
+# macOS ...pkg App Upload: Unless the ...dmg.upload file exists and is non-empty.
+# o Could also use Transporter
+# o Try either upload-package and upload-app approach
+# o NOTE that --apple-id is NOT your "Apple ID", it is the unique App ID (see above)
+dist/SLIP39-$(VERSION).pkg.upload-package: dist/SLIP39-$(VERSION).pkg dist/SLIP39-$(VERSION).pkg.valid FORCE
+	[ -s $@ ] || ( \
+	    echo "\n\n*** Uploading the signed PKG file: $<..." && \
+	    echo "*** Verifying notarization stapling..." && xcrun stapler validate $< && \
+	    echo "*** Checking signature..." && ./SLIP39.metadata/check-signature $< && \
+	    echo "*** Upload starting for $<..." && \
+	    xcrun altool --upload-package $< \
+		--type macos \
+		--bundle-id $(BUNDLEID) --bundle-version $(VERSION) --bundle-short-version-string $(VERSION) \
+		--apple-id $(APPID) --team $(TEAMID) \
+		--apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
+		    | tee -a $@ \
+	)
+
 
-dist/SLIP39.zip.notarization: dist/SLIP39.zip
+
+# 
+# Build the macOS App, and Package the macOS App as a Zip file for Notarization
+# 
+# o Create a ZIP archive suitable for notarization.
+# 
+dist/SLIP39-$(VERSION).zip:	dist/SLIP39.app
+	@echo "\n\n*** Creating and signing DMG $@..."
+	@echo "Checking signature..." && ./SLIP39.metadata/check-signature $<
+	codesign --verify $<
+	codesign -dv -r- $<
+	codesign -vv $<
+	rm -f $@
+	/usr/bin/ditto -c -k --keepParent "$<" "$@"
+	@ls -last dist
+
+# Upload and notarize the .zip, unless we've already uploaded it and have a RequestUUID
+dist/SLIP39-$(VERSION).zip.notarization: dist/SLIP39-$(VERSION).zip
 	jq -r '.["notarization-upload"]["RequestUUID"]' $@ 2>/dev/null \
 	|| xcrun altool --notarize-app -f $< \
 	    --primary-bundle-id $(BUNDLEID) \
@@ -219,48 +294,63 @@ dist/SLIP39.zip.notarization: dist/SLIP39.zip
 	    --output-format json \
 		> $@
 
-dist/SLIP39.zip.notarization-status:  dist/SLIP39.zip.notarization FORCE
+# Refresh the ...zip.notariation-status, unless it is already "Status: success"
+dist/SLIP39-$(VERSION).zip.notarization-status:  dist/SLIP39-$(VERSION).zip.notarization FORCE
+	[ -s $@ ] && grep "Status: success" $@ \
+	    || xcrun altool \
+		--apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
+		--notarization-info $$( jq -r '.["notarization-upload"]["RequestUUID"]' $< ) \
+		    | tee -a $@
+
 
-	xcrun altool \
+# Check notarization status 'til Status: success, then mark the ...zip.valid
+# o We can't staple anything to a zip, but the contained app will now pass Gateway
+#   on the client system, b/c it will check w/ Apple's servers that the app was notarized.
+dist/SLIP39-$(VERSION).zip.valid: dist/SLIP39-$(VERSION).zip.notarization-status FORCE
+	@grep "Status: success" $< || \
+	    ( tail -10 $<; echo "\n\n!!! App not yet notarized; try again in a few seconds..."; false )
+	@echo "\n\n*** Notarization complete; refreshing $@" \
+	    && touch $@
+
+# Submit App Zip w/o notarization stapled.
+# o Doesn't work; same "Unsupported toolchain." error as ...-notarized.zip.upload
+dist/SLIP39-$(VERSION).zip.upload-package: dist/SLIP39-$(VERSION).zip dist/SLIP39-$(VERSION).zip.valid FORCE
+	[ -s $@ ] || xcrun altool --upload-package $< \
+	    --type macos \
+	    --bundle-id $(BUNDLEID) --bundle-version $(VERSION) --bundle-short-version-string $(VERSION) \
+	    --apple-id $(APPID) \
 	    --apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
-	    --notarization-info $$( jq -r '.["notarization-upload"]["RequestUUID"]' $< ) \
 		| tee -a $@
 
-dist/SLIP39-$(VERSION)-final.zip: dist/SLIP39.zip.notarization-status
-	grep "Status: success" $< || \
-	    ( tail -10 $<; echo "\n\n!!! App not yet notarized; cannot produce $@"; false )
+# Check notarization status 'til Status: success, then staple it to ...app, and create ...-notarized.zip
+# o The .zip version works, but the notarization cannot be stapled to the zip;
+#   - It should usually be checked via Gatekeeper, by the recipient of the App in the .zip
+#   - We have to receive notification that the SLIP39.zip.notarization-status Status: success
+#   - So, once we confirm notarization, just submit/publish the original .zip file
+# o For other purposes (eg. just for manual installation), we can package the Notarized app
+dist/SLIP39-$(VERSION)-notarized.zip: dist/SLIP39-$(VERSION).app dist/SLIP39-$(VERSION).zip.valid
 	( [ -r $@ ] ) \
 	    && ( echo "\n\n*** Notarization compete; not re-generating $@"; true ) \
 	    || ( \
-		xcrun stapler staple   dist/SLIP39.app; \
-		xcrun stapler validate dist/SLIP39.app; \
-	        echo "\n\n*** Notarization attached; creating $@"; \
-		/usr/bin/ditto -c -k --keepParent "dist/SLIP39.app" "$@"; \
+		xcrun stapler staple   $<; \
+		xcrun stapler validate $<; \
+	        echo "\n\n*** Notarization attached to $<; creating $@"; \
+		/usr/bin/ditto -c -k --keepParent "$<" "$@"; \
 		ls -last dist; \
 	    )
-# 
-# macOS App Upload: Unless the ...zip.upload file exists and is non-zero
-# 
-dist/SLIP39-$(VERSION)-final.zip.upload: dist/SLIP39-$(VERSION)-final.zip FORCE
+
+# macOS ...zip App Upload: Unless the ...zip.upload file exists and is non-zero
+# o I don't think it is possible to construct, notarize and submit an App for the macOS store via Zip
+#   - We can't staple the notarization onto it.  Must use a .pkg or .dmg...
+# *** Error: Error uploading 'dist/SLIP39-6.6.4-notarized.zip'.
+# *** Error: Unsupported toolchain. Packages submitted to the App Store must be created either through Xcode, or using the productbuild[1] tool, as described in "Submitting your Mac apps to the App Store." Packages created by other tools, including PackageMaker, are not acceptable. [SIS] With error code STATE_ERROR.VALIDATION_ERROR.90270 for id 39784451-3843-428b-97ec-37c1b196ca35 Asset validation failed (-19208)
+dist/SLIP39-$(VERSION)-notarized.zip.upload: dist/SLIP39-$(VERSION)-notarized.zip FORCE
 	[ -s $@ ] || xcrun altool --upload-package $< \
 	    --type macos \
 	    --bundle-id $(BUNDLEID) --bundle-version $(VERSION) --bundle-short-version-string $(VERSION) \
-	    --apple-id $(APPLEID) \
+	    --apple-id $(APPID) \
 	    --apiKey $(APIKEY) --apiIssuer $(APIISSUER) \
 		| tee -a $@
-# 
-# Package the macOS App as a Zip file for Notarization
-# 
-# o Create a ZIP archive suitable for notarization.
-# 
-dist/SLIP39.zip:		dist/SLIP39.app
-	echo "Checking signature..."; ./SLIP39.metadata/check-signature $<
-	codesign --verify $<
-	codesign -dv -r- $<
-	codesign -vv $<
-	rm -f $@
-	/usr/bin/ditto -c -k --keepParent "$<" "$@"
-	@ls -last dist
 
 
 #
@@ -346,6 +436,7 @@ dist/SLIP39.app: 		SLIP39.spec		\
 #    +             version='6.4.1',
 #    +             info_plist={
 #    +                 'CFBundleVersion':'6.4.1',
+#    +                 'CFBundlePackageType':'APPL',
 #    +                 'LSApplicationCategoryType':'public.app-category.utilities',
 #    +                 'LSMinimumSystemVersion':'10.15.0',
 #    +             })
diff --git a/SLIP39.spec b/SLIP39.spec
@@ -49,9 +49,10 @@ coll = COLLECT(exe,
 app = BUNDLE(coll,
              name='SLIP39.app',
              icon='images/SLIP39.icns',
-             version='6.6.2',
+             version='6.7.1',
              info_plist={
-                 'CFBundleVersion':'6.6.2',
+                 'CFBundleVersion':'6.7.1',
+                 'CFBundlePackageType':'APPL',
                  'LSApplicationCategoryType':'public.app-category.finance',
                  'LSMinimumSystemVersion':'10.15.0',
              },
diff --git a/slip39/version.py b/slip39/version.py
@@ -1,2 +1,2 @@
-__version_info__		= ( 6, 6, 2 )
+__version_info__		= ( 6, 7, 1 )
 __version__			= '.'.join( map( str, __version_info__ ))

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-__version_info__ = ( 6, 6, 2 )`
	`1`	`+__version_info__ = ( 6, 7, 1 )`
`2`	`2`	`__version__ = '.'.join( map( str, __version_info__ ))`