Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Software > Calibre > Development

Notices

Reply
 
Thread Tools Search this Thread
Old 06-21-2019, 08:10 AM   #1
KevinH
Wizard
KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.
 
Posts: 4,421
Karma: 2706690
Join Date: Nov 2009
Device: many
Notarizing App for macOS Catalina

Hi Kovid,
I assume you have received the same emails from Apple Developer Relations about the need to submit your app to Apple to be "notarized". Once version just notarizes an app as is while another requires you to relink with their new secure runtime and add info of what types of access is approved (files, folders, features,etc) and to get back a ticket to "staple" to your signed app.

The entire process seems to rely on using XCode and I can not find docs for simple command-line tools (yet) so that the process can be automated. I am a bit leery of giving Apple approval power over my app. I have been signing code long enough that these do not immediately effect Sigil but they will eventually.

What are your thoughts and plans for Calibre in this regard.

Thanks,

KevinH
KevinH is offline   Reply With Quote
Old 06-21-2019, 08:35 AM   #2
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 37,264
Karma: 16434271
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
I haven't received the emails, but I am aware of notarization. I have been signing calibre for several years now, so at least to start with, it should be fine. I am actually in the process of updating calibre's build pipeline, so on macOS it now builds on Mojave, which I think is a pre-requisite for getting notarization to work.

I too do not like giving apple any kind of "approval" over calibre. They suffer from extreme naivety if they think that they can successfully detect malware in an automated fashion. Probably just a trojan horse for extending more control over third party software.

That said, in the long term I dont really see an alternative, if you want to continue using their platform, you will have to play by their rules. macOS users are ~15% of calibre users, so I dont feel comfortable just abandoning them. At least to start with I plan to continue without notarizing and see how the situation evolves, let other people figure out how to notarize in an automated fashion. Automated signing via ssh is already unnecessarily difficult, so I doubt notarization will be straightforward. This is code needed to get automated signing via ssh to work, absurdly complex: https://github.com/kovidgoyal/calibr...os/sign.py#L29

I am definitely not using their "secure runtime". It is completely unsuited to an application of calibre's power and complexity.
kovidgoyal is offline   Reply With Quote
Old 06-21-2019, 08:57 AM   #3
KevinH
Wizard
KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.
 
Posts: 4,421
Karma: 2706690
Join Date: Nov 2009
Device: many
I think that is a good plan. I will keep paying my $100 to keep my developer id and keep signing but not notarize until it is actually an issue and people have figured out how to automate the process via command line tools.

Thanks,

KevinH
KevinH is offline   Reply With Quote
Old 06-21-2019, 11:01 AM   #4
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 37,264
Karma: 16434271
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
Just FYI you dont need to pay $100 every year, only in th eyear you need ot renew the certificate.
kovidgoyal is offline   Reply With Quote
Old 06-21-2019, 11:07 AM   #5
KevinH
Wizard
KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.
 
Posts: 4,421
Karma: 2706690
Join Date: Nov 2009
Device: many
They automatically charge me a renewal fee direct to my credit card each year in February. I will look into that.
KevinH is offline   Reply With Quote
Old 06-29-2019, 09:42 PM   #6
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 37,264
Karma: 16434271
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
Here is code to notarize via command line:

https://blog.zeplin.io/dev-journal-a...s-94b0b144ba9d

The process seems not too bad, however, the main problem is the indeterminate amount of time one needs to wait for notarization to complete. This is going to make automated building unneccessarily slow.
kovidgoyal is offline   Reply With Quote
Old 06-29-2019, 09:50 PM   #7
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 37,264
Karma: 16434271
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
According to this, notarization time is typically between 2 and 24 mins https://eclecticlight.co/2019/06/29/...ions-analysed/

except when the service goes down, which will likely happen a lot more once notariztion becomes compulsory and therefore more heavily used.
kovidgoyal is offline   Reply With Quote
Old 06-29-2019, 09:55 PM   #8
KevinH
Wizard
KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.
 
Posts: 4,421
Karma: 2706690
Join Date: Nov 2009
Device: many
Thanks for the link. The problem is acording to the docs on Apple's website, in order to pass notorization in the immediate future you must timestamp and use Apple's hardened runtime with a list of requested exceptions. Things like JIT, access to video, photos, allowing use dylib load library environment vars, etc, etc.

For that process you need to create an exceptions plist file (or whatever they call it) that needs to somewhere/somehow be included in the build/signing process. I still haven't found the command line docs that talk about these capabilities/exceptions file format and where in the process they are injected.

So it is really the hardened runtime requirement that is giving me issues. Early on they will allow you to notarize legacy builds without the hardened runtime but their website clearly states it is required.
KevinH is offline   Reply With Quote
Old 06-29-2019, 10:23 PM   #9
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 37,264
Karma: 16434271
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
Well yeah, if they require hardened runtime for notarization and require notariztion for all apps, then basically macOS is dead in the water.
kovidgoyal is offline   Reply With Quote
Old 06-29-2019, 10:56 PM   #10
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 37,264
Karma: 16434271
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
I looked into the hardened runtime a bit and it looks like most things can be turned off. For example, firefox is building with it according to this: https://bugzilla.mozilla.org/show_bug.cgi?id=1470597

Here is the firefox entitlements file:

https://d3kxowhw4s8amj.cloudfront.ne...7a/D27396.diff


Basically looks like adding that entitlements file and calling codesign with it should be all that's needed (and adding the enable hardened runtime flag to Infoplist)

But I have to say, Aple's documentation is horrenduous.
kovidgoyal is offline   Reply With Quote
Old 06-29-2019, 11:55 PM   #11
lumpynose
Wizard
lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.lumpynose ought to be getting tired of karma fortunes by now.
 
Posts: 1,086
Karma: 4583858
Join Date: Jul 2012
Device: Palm Pilot M105
Quote:
Originally Posted by KevinH View Post
I will keep paying my $100 to keep my developer id
You have to pay Apple $100 in order to develop apps for the Mac?

What are the fees for developing apps for Windows? I'm guessing you need to buy Visual C# or whatever.

Last edited by lumpynose; 06-29-2019 at 11:57 PM.
lumpynose is offline   Reply With Quote
Old 06-30-2019, 03:35 AM   #12
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 37,264
Karma: 16434271
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
Microsofts compilers have been free for a few years now. There is a "Visual Studio Community Edition" you can use. You do have to pay for authenticode certificates, but you dont pay microsoft, you pay third party certificate vendors.
kovidgoyal is offline   Reply With Quote
Old 06-30-2019, 03:08 PM   #13
KevinH
Wizard
KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.
 
Posts: 4,421
Karma: 2706690
Join Date: Nov 2009
Device: many
Yes, that should help. At least it shows what an entitlements file needs to look like and which exception setting a webkit/webengine based viewer might need to use, and where it goes in the signing process.

You are right, Apple's mac developer docs are bad and especially are horrible for anyone wanting to automate the process and not use XCode.

I am still unsure what exceptions are needed to embed an entire Python 3.7 interpreter inside our app, and how external python modules/packages will be viewed that are not signed, how pure python plugins are treated if not signed, etc. What about python byte code and bytecode caches being written to places inside the app. Their current docs seem set for simple do one thing apps.

Thanks again for the links. They will be a big help.



Quote:
Originally Posted by kovidgoyal View Post
I looked into the hardened runtime a bit and it looks like most things can be turned off. For example, firefox is building with it according to this: https://bugzilla.mozilla.org/show_bug.cgi?id=1470597

Here is the firefox entitlements file:

https://d3kxowhw4s8amj.cloudfront.ne...7a/D27396.diff


Basically looks like adding that entitlements file and calling codesign with it should be all that's needed (and adding the enable hardened runtime flag to Infoplist)

But I have to say, Aple's documentation is horrenduous.
KevinH is offline   Reply With Quote
Old 06-30-2019, 04:15 PM   #14
eschwartz
Ex-Helpdesk Junkie
eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.
 
eschwartz's Avatar
 
Posts: 19,371
Karma: 83238497
Join Date: Nov 2012
Location: The Beaten Path, USA, Roundworld, This Side of Infinity
Device: Kindle Touch fw5.3.7 (Wifi only)
Why not just declare you need everything possible, just in case?

...

If you're not actually buying into Apple's security guidelines, then your only goal is to shut up the complaints, so you don't actually care if the program is being "too permissive".
eschwartz is offline   Reply With Quote
Old 06-30-2019, 06:46 PM   #15
KevinH
Wizard
KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.KevinH ought to be getting tired of karma fortunes by now.
 
Posts: 4,421
Karma: 2706690
Join Date: Nov 2009
Device: many
I will take that approach for Sigil's first attempt at notarization and the hardened runtime. If it still interferes with the embedded python interpreter and plugins, then at least I will know Eigil did everything it could.
KevinH is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MacOS 10.15 Catalina Beta Discussion Thread OtinG Apple Devices 40 08-21-2019 07:51 AM
Calibre 3.41.3 for macOS 10.14.4 adrianf Library Management 2 04-23-2019 05:15 AM
MacOS Mojave Books App and Calibre datostar Apple Devices 2 10-26-2018 08:25 PM
Touch Have you tried the MacOS App for Android? Nate the great Barnes & Noble NOOK 0 02-29-2012 01:49 PM
Mysterious Missile Launched Near santa Catalina Island PhilipChen Lounge 2 11-09-2010 02:34 PM


All times are GMT -4. The time now is 06:14 AM.


MobileRead.com is a privately owned, operated and funded community.