Skip to content

Apple Codesign 0.17.0

Compare
Choose a tag to compare
@indygreg indygreg released this 08 Aug 04:38

The apple-codesign project has moved to https://github.com/indygreg/apple-platform-rs. This is the final release to be published from the PyOxidizer repository. All future releases can be found at https://github.com/indygreg/apple-platform-rs/releases.

Release Info

Changelog

  • Major feature: Notarization is now implemented in Rust and no longer
    requires Apple's Transporter application. Going forward, you only need
    the rcodesign executable (or this crate embedded as a library) and an
    App Store Connect API Key to notarize. Major thanks to Robin Lambertz
    (@roblabla) for contributing the bulk of the implementation in #593.
  • As a result of native notarization, integration with Apple's Transporter
    has been removed. The find-transporter command has been removed. Rust
    APIs related to Transporter, the app metadata XML format it used, and App
    Store Connect APIs previously used have been removed.
  • As a result of native notarization, UI and implementation details of
    notarization have changed. The output when uploading assets is much more
    concise. Before, code existed to normalize uploaded assets to a data format
    required by Transporter. As a side-effect, assets were somewhat validated
    locally before upload. In the new world, minimal checks are performed locally.
    This can result in errors (such as attempting to upload an asset without a
    code signature) occurring later than they did previously.
  • A new encode-app-store-connect-api-key command can be used to encode an
    App Store Connect API Key in a single JSON object. These keys are used for
    notarization and having all the API Key metadata in a single file / JSON
    blob means you have 1 entity to define your App Store Connect API Key instead
    of 3, making UI simpler.
  • The notarize command has been renamed to notary-submit. This follows
    the terminology of Apple's notarytool and mimics the nomenclature used
    by the Notary API. The old notarize command is an alias to
    notary-submit.
  • The notary-submit command now has an --api-key-path argument defining the
    path to a JSON file containing the unified App Store Connect API Key emitted
    by the encode-app-store-connect-api-key command. We recommend using this
    method for specifying the API Key going forward, as it is simpler. The old
    method was required for use with Apple's Transporter application, which we
    no longer use so we're no longer bound by its requirements. The old method
    will likely be dropped from a future release.
  • A new notary-wait command can be used to wait on a previous notary
    submission to complete and to view its log info. This command can be useful if
    notary-submit times out or otherwise fails and you want to query the
    status of a previous notarization.
  • A new notary-log command will fetch the notarization log of a previous
    submission from the Notary API server.
  • Fixed signing of Mach-O binaries having a gap between segments. (This is known
    to commonly occur in Go binaries.) In previous versions, we would compute
    digests of the file incorrectly and would encounter an assertion when copying
    Mach-O data to the output binary. Both of these issues should now be fixed.
    (#588 and #616)
  • minicbor crate upgraded from version 0.15. This created API differences in
    remote signing code.
  • The APIs around Mach-O file parsing have been significantly overhauled. It
    is probably best to diff the macho module to see the full differences.
    There are now MachFile and MachOBinary types serving as interfaces
    to custom Mach-O functionality. Most code interfacing with a Mach-O file now
    uses these types. The AppleSignable trait has been deleted as it is no
    longer needed since we have the dedicated MachOBinary type.