build: add macOS signing entitlements to macdeploy #18171

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:macos_signing_requirements changing 1 files +18 −0
  1. fanquake commented at 1:14 PM on February 18, 2020: member

    This is the entitlements file that could be passed to the codesign tool during macOS notarization. We don't have to be explicit with all of these permissions, as most of them are disabled by default.

    Also related to #18131.

    TODO:

    • Add --options runtime to codesign step.
  2. build: add macOS signing entitlements to macdeploy 3384764d54
  3. fanquake added the label macOS on Feb 18, 2020
  4. fanquake added the label Build system on Feb 18, 2020
  5. fanquake requested review from jonasschnelli on Feb 18, 2020
  6. jonasschnelli commented at 2:33 PM on February 18, 2020: contributor

    Tested and made some custom gitian builds. I manually signed the newest nighly osx unsigned gitian build https://bitcoin.jonasschnelli.ch/gitian/build/15.

    ...changed detached-sig-create.sh and added --options runtime in L26.

    ... manually edited the gitian descriptor gitian-osx-signer.yml to take a local signature-osx.tar.gz file (instead of the git repository).

    ... ran gbuild with the edited descriptor

    ... notarized the spit-out .dmg xcrun altool --notarize-app --primary-bundle-id "org.bitcoinfoundation.Bitcoin-Qt" -u "..." -p "..." --file ~/Desktop/bitcoin-osx-signed.dmg

    xcrun altool --notarization-info e2a5950f-27a8-4ca6-b878-70c2c7f986a5 -u "" -p ""
No errors getting notarization info.

          Date: 2020-02-18 14:24:52 +0000
          Hash: 69f497ed8e390f9d36af0ff62657b34c324ce1b443f517e5e22b28f6a34a648b
    LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma114/v4/dc/3b/0a/dc3b0a04-e739-9613-7e23-dd7d06f35967/developer_log.json?accessKey=1582230400_8858694549230079029_1BoiQHetIfiQRtamwTQJdffO23e%2FsCkehyqyv8VM6C3g%2FMkW%2FoQj%2Bj7pQniQhk4H78U0p5TZRYfK6YvO8stbYx63WZk2%2BF5%2FC67INVY%2FwlCnJo0HKumbkvzIa0DmvEa66ZwHMwNmqyCxAljA01hPcGPJwl0zLBFeXeUpYIeumOw%3D
   RequestUUID: e2a5950f-27a8-4ca6-b878-70c2c7f986a5
        Status: success
   Status Code: 0
Status Message: Package Approved

    summary:

    • I don't think we need the Entitlements.xml (this PR only adds the already existing default values IMO), instead just adding --options runtime to detached-sig-create.sh should be enough.
  7. fanquake commented at 12:40 AM on February 21, 2020: member

    I still like the idea of explicitly passing our entitlements to codesign, however am going to close this in favour of #18187 for now, and we can keep the codesigning discussion there.

  8. fanquake closed this on Feb 21, 2020
  9. DrahtBot locked this on Feb 15, 2022
  10. fanquake deleted the branch on Sep 29, 2022
Contributors
fanquakejonasschnelli


jonasschnelli

Labels
macOSBuild system
Linked (view graph)
#18131 add macOS notarization info to the release process doc#18187 Add macOS notarization (including stapling)
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 18:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me