From f38d06fc7053f6d535f79f5999da6de6df6bf5a0 Mon Sep 17 00:00:00 2001 From: David Vartan Date: Fri, 21 May 2021 04:45:32 -0700 Subject: [PATCH] Fetch service response even when succeeded. Optional flag to skip precheck for troubleshooting. --- CHANGELOG.md | 5 +++++ Cargo.toml | 2 +- README.md | 10 ++++++++++ src/main.rs | 6 +++++- src/notarize/run.rs | 34 +++++++++++++++++++++------------- src/util/cli.rs | 4 ++++ 6 files changed, 46 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 866b497..b01fe47 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change Log +## [v0.4.8](https://github.com/akeru-inc/xcnotary/releases/tag/v0.4.0) + +* Added `--no-precheck` option for help troubleshooting some code signing scenarios +* Notarization service output is now fetched even in the succcess case, following Apple documentation guidance: "Always check the log file, even if notarization succeeds, because it might contain warnings that you can fix prior to your next submission." + ## [v0.4.0](https://github.com/akeru-inc/xcnotary/releases/tag/v0.4.0) * Added support for .dmg file notarization. [#3](https://github.com/akeru-inc/xcnotary/issues/3) diff --git a/Cargo.toml b/Cargo.toml index b28f2ee..4f963ae 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "xcnotary" -version = "0.4.7" +version = "0.4.8" authors = ["David Vartan "] edition = "2018" license = "MIT OR Apache-2.0" diff --git a/README.md b/README.md index 399c1bc..e50f162 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ xcnotary notarize \ --developer-account \ --developer-password-keychain-item \ [--provider ] + [--no-precheck] ``` Supported inputs: @@ -71,6 +72,13 @@ xcrun altool --list-providers -u "$DEVELOPER_ACCOUNT_USERNAME" -p "@keychain:$P - When notarization fails, `xcnotary` will connect to `https://osxapps-ssl.itunes.apple.com/` on port 443 to retrieve the failure log. +### Service response + +Apple [documentation](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow) advises: "Always check the log file, even if notarization succeeds, because it might contain warnings that you can fix prior to your next submission." + +`xcnotary` will fetch and display the notarization service response upon completion. + + # Bundle pre-checks `xcnotary` attempts to check the input for some [common notarization issues](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues) before uploading it to Apple. While not foolproof, these checks may potentially save you minutes waiting for a response only to fail due to an incorrect code signing flag. @@ -86,6 +94,8 @@ When the input is an app bundle, the following checks will be performed: When the input is a *.dmg* or a *.pkg*, only the Developer ID signing check is performed, i.e. the only check that can be performed at the moment without extracting the contents. In your workflow, you may want to run `xcnotary precheck` on your bundle target before packaging it. +In rare cases, it may be helpful to troubleshoot code signing issues directly using the notarization service response. To do so, specify `--no-precheck` when invoking `xcnotary notarize`. + # Building for notarization The following examples set various necessary build flags, such as code signing with a "secure timestamp." diff --git a/src/main.rs b/src/main.rs index 35ab625..80eb3ea 100644 --- a/src/main.rs +++ b/src/main.rs @@ -29,10 +29,14 @@ fn run() -> Result<(), Box> { password_keychain_item, input_path, provider, + no_precheck, } => { let (path_type, bundle_id) = util::input_path::path_info(&input_path)?; - precheck::run(&input_path, &path_type, false)?; + if !no_precheck { + precheck::run(&input_path, &path_type, false)?; + } + notarize::run( input_path, path_type, diff --git a/src/notarize/run.rs b/src/notarize/run.rs index 1d86285..8d9ccc7 100644 --- a/src/notarize/run.rs +++ b/src/notarize/run.rs @@ -66,7 +66,7 @@ impl NotarizeOp { let pb = progress_bar("Waiting for notarization"); - loop { + let (success, log_url) = loop { std::io::stdout().flush().unwrap(); std::thread::sleep(std::time::Duration::from_secs(5)); @@ -76,29 +76,37 @@ impl NotarizeOp { match info.details.status { NotarizationStatus::InProgress => continue, NotarizationStatus::Success => { - break; + break (true, info.details.logfile_url); } NotarizationStatus::Invalid => { - let log_url = info.details.logfile_url.unwrap(); - - let log_response = reqwest::blocking::get(&log_url).unwrap().text().unwrap(); - - return Err(OperationError::detail( - "Notarization failed. Server response", - &log_response, - ) - .into()); + break (false, info.details.logfile_url); } } - } + }; + + pb.finish(); + let pb = progress_bar("Requesting log file"); + let log_text = reqwest::blocking::get(&log_url.unwrap()) + .unwrap() + .text() + .unwrap(); pb.finish(); + if !success { + return Err(OperationError::detail( + "Notarization failed. Service response:", + &log_text, + ) + .into()); + } + let pb = progress_bar("Stapling"); self.staple()?; pb.finish(); - println!("\n{}", style("Success!").green().bold()); + println!("\n{}", style("Success! Review the service response for additional issues or warnings:").green().bold()); + println!("{}", log_text); Ok(()) } diff --git a/src/util/cli.rs b/src/util/cli.rs index 7542ead..e7c25a2 100644 --- a/src/util/cli.rs +++ b/src/util/cli.rs @@ -30,6 +30,10 @@ pub(crate) enum Args { /// Required if the developer credentials are associated with more than one team. Corresponds to "ProviderShortname" from running `xcrun altool --list-providers` #[structopt(long)] provider: Option, + + /// Skip client-side pre-checks, deferring to notarization service for troubleshooting + #[structopt(long)] + no_precheck: bool, }, }