Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

all: ensure that Go toolchain meets Apple’s notarization requirements [1.12 backport] #35747

Closed
gopherbot opened this issue Nov 21, 2019 · 5 comments
Closed

all: ensure that Go toolchain meets Apple’s notarization requirements [1.12 backport] #35747

gopherbot opened this issue Nov 21, 2019 · 5 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge
Milestone
Go1.12.14

Comments

@gopherbot
Copy link
Contributor

@andybons requested issue #34986 to be considered for backport to the next 1.12 minor release.

@gopherbot please open a backport for 1.12 and 1.13 since otherwise Apple will reject future point releases of those versions
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Nov 21, 2019
@gopherbot gopherbot mentioned this issue Nov 21, 2019
Closed
@gopherbot gopherbot added this to the Go1.12.14 milestone Nov 21, 2019
@andybons andybons added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Nov 21, 2019
@gopherbot
Copy link
Contributor Author

Change https://golang.org/cl/208220 mentions this issue: [release-branch.go1.12] all: base64-encode binaries that will cause Apple notarization to fail

@gopherbot
Copy link
Contributor Author

Closed by merging a106f55 to release-branch.go1.12.

gopherbot pushed a commit that referenced this issue Nov 21, 2019
@andybons
[release-branch.go1.12] all: base64-encode binaries that will cause A…
a106f55 
…pple notarization to fail

Starting with macOS 10.15 (Catalina), Apple now requires all software
distributed outside of the App Store to be notarized. Any binaries we
distribute must abide by a strict set of requirements like code-signing
and having a minimum target SDK of 10.9 (amongst others).

Apple’s notarization service will recursively inspect archives looking to
find notarization candidate binaries. If it finds a binary that does not
meet the requirements or is unable to decompress an archive, it will
reject the entire distribution. From cursory testing, it seems that the
service uses content sniffing to determine file types, so changing
the file extension will not work.

There are some binaries and archives included in our distribution that
are being detected by Apple’s service as potential candidates for
notarization or decompression. As these are files used by tests and some
are intentionally invalid, we don’t intend to ever make them compliant.

As a workaround for this, we base64-encode any binaries or archives that
Apple’s notarization service issues a warning for, as these warnings will
become errors in January 2020.

Updates #34986
Updates #35747

Change-Id: I106fbb6227b61eb221755568f047ee11103c1680
Reviewed-on: https://go-review.googlesource.com/c/go/+/208118
Run-TryBot: Andrew Bonventre <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>
(cherry picked from commit 8bbfc51)
Reviewed-on: https://go-review.googlesource.com/c/go/+/208220
Reviewed-by: Alexander Rakoczy <[email protected]>
@andybons
Copy link
Member

Notarization is failing due to testdata present in vendored packages in 1.12. Since we moved to go mod vendor in 1.13, which does not include _test.go files or testdata folders, we have to make a 1.12-specific change that will emulate what go mod vendor would have done.

@andybons
Copy link
Member

Yay #29599

@andybons andybons reopened this Nov 21, 2019
@gopherbot
Copy link
Contributor Author

Change https://golang.org/cl/208227 mentions this issue: [release-branch.go1.12] cmd/vendor: remove _test.go and testdata files

gopherbot pushed a commit that referenced this issue Nov 22, 2019
@andybons
[release-branch.go1.12] cmd/vendor: remove _test.go and testdata files
8d72096 
Binary files included in testdata directories can cause Apple’s
notarization service to reject us since they don’t abide by their
strict requirements.

To emulate go mod vendor, remove all _test.go and testdata files
from the vendor directory and update the instructions.

Updates #34986
Fixes #35747

Change-Id: I5cde905fc78838d2e3b1519dab4aeee13d8d5356
Reviewed-on: https://go-review.googlesource.com/c/go/+/208227
Run-TryBot: Andrew Bonventre <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Alexander Rakoczy <[email protected]>
@golang golang locked and limited conversation to collaborators Nov 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge
Projects
None yet
Milestone
Go1.12.14
Development

No branches or pull requests
2 participants
@andybons @gopherbot