Fix MacOS Notarization #35080
Merged
Fix MacOS Notarization #35080
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We need to individually sign each Mach-O file independently, otherwise notarization bails. Note that you must sign the overall `.app` after each individual file is signed. I've also added more Entitlements. I've gone for a "gentle shotgun" approach, turning on everything that I think we could reasonably want. I wait expectantly for someone to complain that they need Location access turned on for some package. ;)
|
Do we know what entitlements e.g. Python asks for? |
|
The python launcher itself asks for the following two: The first so that it can load unsigned libraries (which we'd need as well) and the second I assume for some kind of JIT behavior. |
|
All right, let's go with this for now then. |
staticfloat
deleted the
sf/notarization_part_two_return_of_the_aftermath
branch
ravibitsgoa
pushed a commit
to ravibitsgoa/julia
that referenced
this pull request
Apr 9, 2020
We need to individually sign each Mach-O file independently, otherwise notarization bails. Note that you must sign the overall `.app` after each individual file is signed. I've also added more Entitlements. I've gone for a "gentle shotgun" approach, turning on everything that I think we could reasonably want. I wait expectantly for someone to complain that they need Location access turned on for some package. ;)
KristofferC
pushed a commit
that referenced
this pull request
Apr 11, 2020
We need to individually sign each Mach-O file independently, otherwise notarization bails. Note that you must sign the overall `.app` after each individual file is signed. I've also added more Entitlements. I've gone for a "gentle shotgun" approach, turning on everything that I think we could reasonably want. I wait expectantly for someone to complain that they need Location access turned on for some package. ;)
|
This should be backported in case we ever do a 1.4.2 |
KristofferC
pushed a commit
that referenced
this pull request
May 10, 2020
We need to individually sign each Mach-O file independently, otherwise notarization bails. Note that you must sign the overall `.app` after each individual file is signed. I've also added more Entitlements. I've gone for a "gentle shotgun" approach, turning on everything that I think we could reasonably want. I wait expectantly for someone to complain that they need Location access turned on for some package. ;) (cherry picked from commit 418f111)
14 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We need to individually sign each Mach-O file independently, otherwise notarization bails. Note that you must sign the overall
.appafter each individual file is signed.I've also added more Entitlements. I've gone for a "gentle shotgun" approach, turning on everything that I think we could reasonably want. I wait expectantly for someone to complain that they need Location access turned on for some package. ;)