Apple notarization failure on releases - error 1048

[BethGriggs]

Noticed while running release builds of v10.20.0 (nodejs/node#31984) - some discussion in that PR.

Seen on:

• v10.20.0 - https://ci-release.nodejs.org/job/iojs+release/nodes=osx1015-release-pkg/5823/console
• v12.16.2 - https://ci-release.nodejs.org/job/iojs+release/nodes=osx1015-release-pkg/5830/console
• v14.x nightly - https://ci-release.nodejs.org/job/iojs+release/nodes=osx1015-release-pkg/5825/console

20:13:53 2020-04-07T12:13:27.846-0700 [INFO]  notarize: notarization submission complete: output="<?xml version="1.0" encoding="UTF-8"?>
20:13:53 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
20:13:53 <plist version="1.0">
20:13:53 <dict>
20:13:53 	<key>os-version</key>
20:13:53 	<string>10.15.1</string>
20:13:53 	<key>product-errors</key>
20:13:53 	<array>
20:13:53 		<dict>
20:13:53 			<key>code</key>
20:13:53 			<integer>1048</integer>
20:13:53 			<key>message</key>
20:13:53 			<string>You must first sign the relevant contracts online. (1048)</string>
20:13:53 			<key>userInfo</key>
20:13:53 			<dict>
20:13:53 				<key>NSLocalizedDescription</key>
20:13:53 				<string>You must first sign the relevant contracts online. (1048)</string>
20:13:53 				<key>NSLocalizedFailureReason</key>
20:13:53 				<string>You must first sign the relevant contracts online. (1048)</string>
20:13:53 				<key>NSLocalizedRecoverySuggestion</key>
20:13:53 				<string>You must first sign the relevant contracts online. (1048)</string>
20:13:53 			</dict>
20:13:53 		</dict>
20:13:53 	</array>
20:13:53 	<key>tool-path</key>
20:13:53 	<string>/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework</string>
20:13:53 	<key>tool-version</key>
20:13:53 	<string>4.00.1181</string>
20:13:53 </dict>
20:13:53 </plist>
20:13:53 " err="exit status 24"
20:13:53     Error notarizing
20:13:53 
20:13:53 ❗️ Error notarizing:
20:13:53 
20:13:53 1 error occurred:
20:13:53 	* 1 error occurred:
20:13:53 	* You must first sign the relevant contracts online. (1048) (1048)

[mhdawson]

I did log into our apple developer account, and from the message only the account holder can accept. Rod had tried to give more of us access but the 2fa that apple has in place makes this more difficult than if they used standard 2fa processes/technologies. At this point we'll have to wait.

[mhdawson]

Sync'd with @rvagg and he's accepted the licence and set me up so that I should be able to get in next time. I'm waiting for some sort of timeout as I accidentally hit hangup instead of answer and Apple tells me I have to wait until later so I'll try to validate I have access in an hour.

[rvagg]

OK, here's my report @nodejs/build, hopefully this bit of knowledge-sharing is helpful context cause this stuff is way too complicated to be kept inside one or two heads.

Apple's developer system is broken for organisations. It might be nice for individual developers but it's a pain in the backside for organisations where you have teams. Previously, we had a single developer account which we used to make certificates to sign binaries. It was a little bit painful to get the Foundation staff to pay for it with their credit card but us have the authentication (I think there was an SMS 2fa in place even then). This year, we have multiple hurdles, here's some of what's going on:

• Signing certificates needed to be renewed when I started this notarization journey, so we've had to jump through the same hoops as before, but that's all good now and we have an active account. Brian from the Foundation with a CC should even have team access through his Apple ID and may be able to handle renewal when it comes up, but I bet it'll need to be the primary account holder, so who really knows, we'll find out in a year.
• Notarization requires different kinds of access, we've had to make a special key for the notarization process to use but it does it through [email protected], which is nice. But build@ is just one member of the "team".
• [email protected] has been the primary account holder forever (this is not used for personal things, it's exclusively for Build related things so it could easily be taken by someone with permission to reset iojs.org email aliase, btw), I've not been brave enough to try and reassign that for fear it might reset certificates or identifiers. While this was broken today I went ahead and just did it and now [email protected] is the primary account holder.
• Apple still requires you have an individual owning an account, that's how Apple IDs work, so [email protected] has my name, I think I even had to verify who I was for it to work. Yay Apple.
• Apple has rolled their own 2fa, as is Apple's way. Their preferred way is that you're signed in with that Apple ID on one of your devices and you get a special popup on your phone or computer with a 2fa code to enter when you try to login. If you're signed in on something, it'll try that way. So if anyone signs in with [email protected] on their Apple device or in iCloud on their laptop so they can do things through Xcode (you can do basic certificate management through Xcode this way), then 2fa will shunt through that. They also allow you to enter phone numbers to SMS or call. Mine is in build@ and rvagg@ and if you're not logged in on a device it'll let you send an SMS. There is no other way, Apple really doesn't want you sharing accounts, but it makes it difficult if you don't, as we've seen today.
• I've tried to sync with Michael to get him into the 2fa for build@ when I sorted this out a month or so ago for notarization, but our timezones are perfectly opposite for work-hours so we've had difficulty getting it right. Then we kind of forgot about it until today again! SMS didn't work to his numbers, so he's had to use the "phone me" option, which works, and he's good to go now. Now when you log in to build@ you get to choose between our numbers to get your code .. as long as nobody is logged in on a device.
• This licence agreement thing is totally new and out of the blue! I don't recall seeing an email about it, and i haven't seen emails about failed notarizations (nightlies and others) in the last couple of days, although they're usually happy to spam us with emails about successful notarizations. Apple have decided that they wanted to force everyone to sign this new agreement before allowing notarizations through, but it can only be signed by the primary account! None of the sub-accounts of the team could do it. It's done now, but this is a terrible process that we currently have no means of receiving notifactions for--I don't want to be bombarded with emails every day of failed nightly and v8-canary builds, they fail all the time on various platforms for various reasons that are not critical.

Also, I got to see what a delayed notarization looked like today after re-running 10.20.0. It took 53 minutes to build, with it ticking over saying "notarization successful" but not letting it proceed to the next step. Apparently this can be normal and sometimes take multiple hours.