OK, I have some good news and some bad news...
The good news is that I've successfully signed and notarized the ZIP archive for the macOS self-certification tools. I only needed to make some small changes to the packaging script to a) update the code signing options to reflect the current "secure runtime" and "secure timestamp" options, and b) add a prefix (org.pwg.ippeveselfcertNN.) to the default "bundle ID" used for command-line tools. The resulting ZIP file can be submitted for notarization and makes macOS happy...
The bad news is that we can't use a third-party code signing certificate on macOS. Apple requires that you now use the certificate they provide, which can only be provided by signing up as an Apple developer and paying the $99/year for the privilege (which actually is super-affordable compared to what you go through on Windows with code signing certs from GoDaddy/etc.)
In the short term I can sign the tools using my Lakeside Robotics certificate for the macOS builds, but in the long term I assume we'll want the PWG IPP Everywhere Printer Self-Certification Tools signed by the IEEE-ISTO Printer Working Group, as before.
Thoughts?
> On Feb 26, 2020, at 1:21 PM, Michael Sweet via ipp <ipp at pwg.org> wrote:
>> Smith,
>>> On Feb 26, 2020, at 1:15 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
>>>>>>>>> On Feb 26, 2020, at 10:57 AM, Michael Sweet <msweet at msweet.org> wrote:
>>>>>> ... and FWIW I just tried notarizing the zip file we provide and it failed, as it appears that the only supported notarization containers are currently application bundles (directories with a specific organization) and macOS packages. The latter isn't really what we want for macOS so I'll see what I can do about faking an application bundle...
>>>> Does it let you notarize a .dmg?
>> No.
>>> If not, you could do a flat .pkg that can install to a specific location and default to ~/ so that a sw-ippeveselfcert11-20200219-macos.pkg would install its payload into ~/sw-ippeveselfcert11-20200219, but make the package allow installing into other locations...
>> You can't install packages to user directories... :/
>> I'm investigating further, the notarization logs also point to some missing code signing options so I'll see what I can do about that...
>> ________________________
> Michael Sweet
>>>> _______________________________________________
> ipp mailing list
>ipp at pwg.org>https://www.pwg.org/mailman/listinfo/ipp
________________________
Michael Sweet