[Libreoffice-bugs] [Bug 126409] Notarize LibreOffice builds so that it launches without warnings on macOS 10.15 Catalina

Thu May 28 15:04:13 UTC 2020

https://bugs.documentfoundation.org/show_bug.cgi?id=126409

Christian Lohmaier <cloph at documentfoundation.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #56 from Christian Lohmaier <cloph at documentfoundation.org> ---
(In reply to Tor Lillqvist from comment #55)
> But the LibreOffice.app one downloads from TDF is still not notarized, is
> it?

No - all mac builds for 6.3 and later versions you can download from
www.libreoffice.org are notarized. Daily builds created by tinderboxes are not
signed at all and therefore also not notarized.

> So in what way could this bug be seen as resolved?

The question is: why is this still open. And the answer is: mixing of different
stuff.

Problem initially was with Gatekeeper in macOS Catalina. A bug in Catalina's
gatekeeper. That still claimed that it was not notarized despite having been
notarized and the commandline tools (spctl, codesign, stapler) all confirming
that.

If you get the message "has been checked by Apple for malware" when opening
(and are able to launch it without going to system settings and set a security
exception or using alt-open to add the exception that way): that is the
end-user visible proof of successful notarization.

Confirmed by multiple persons that gatekeeper in current version of Catalina no
longer (falsely) accuses the App of not being notarized → resolving WFM.

As for stapling the info the dmg and not the app included in the dmg container:
also expected/as designed:
https://github.com/akeru-inc/xcnotary/issues/3#issuecomment-622022976
> Our general advice here is that you sign everything, from the inside out, and > then notarise and staple the outermost container. That ticket covers all the > code included in the container. When Gatekeeper checks the code signature of > the container, it will ingest the ticket, avoiding the need for a round trip > to the notary service on first run.

As to .app folder being modified post-gatekeepr/notarization checks: Those
already have corresponding separate bugs, but those are unrelated to gatekeeper
and notarization. That's only checked on first launch.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20200528/399bd4ef/attachment.htm>