Skip to content
This repository was archived by the owner on Dec 6, 2025. It is now read-only.

macOS: Enable Developer ID Distribution #504

Open
roop wants to merge 37 commits into
base: master
Choose a base branch
from
Open

macOS: Enable Developer ID Distribution #504

roop wants to merge 37 commits into from

Conversation

@roop
Copy link
Collaborator

@roop roop commented Jan 30, 2023

This PR creates additional targets (with "-DeveloperID" suffix) that can be used for Developer ID Distribution of the macOS app (for distribution outside of the Mac App Store).

The tunnel extension is bundled as a system extension. The system extension is attempted to be installed at app launch -- there will be prompts at app launch for that.

Differences from the App Store version:

  • The privacy statement is not shown at app launch. It can still be accessed from the app's Settings pane.
  • There's no unified log. On clicking "View Log", we show how the user can access the log using Console.app or "log" commands. This is because with the System Extension, we have no shared location to keep the debug.log file that can be shared between the app and the extension (the app and the extension run as different users and don't have permissions to see each other's files).
  • The password for imported OpenVPN config files is passed directly and not through the Keychain. This is because with the System Extension, we have no shared keychain to share the password with.
  • The About pane says "Developer ID Version"

Creating the Developer ID Distribution is somewhat complex, and is documented in DEVELOPER_ID.md which is part of this PR.

@roop roop marked this pull request as draft January 30, 2023 07:05
@roop
Copy link
Collaborator Author

roop commented Jan 30, 2023

Converted to draft because this depends on #498, which is not merged yet.

@roop roop marked this pull request as ready for review February 9, 2023 13:00
@roop
Copy link
Collaborator Author

roop commented Feb 9, 2023

Rebased to master after merging of #498.

@efef Please take a look at DEVELOPER_ID.md (added in this PR), which documents the distribution process.

roop added 23 commits February 15, 2023 20:05
@roop
Xcode: Add new target 'EduVPN-macOS-DeveloperID'
938b1c9 
As a copy of EduVPN-macOS
@roop
Xcode: Add the System Extension target
d156227 
We set it up in Xcode and then edit the project file to updates paths and
names.
@roop
Xcode: Setup the System Extension for building
1cd3057 
We set it up in Xcode and then edit the project file to remove references to
the expanded APP_ID
@roop
Xcode: Rearrange targets
6878387
@roop
Setup a separate entitlements file for the DeveloperID app
a38c8eb
@roop
Add System Extensions capability to Developer ID app
5e5d402
@roop
NavigationController: Show privacy statement only for App Store
be9ab61
@roop
Xcode project: Fix product name for Developer ID app
8b3021c
@roop
Add SystemExtensionHelper
e765cb4
@roop
AppDelegate: Use SystemExtensionHelper
a4618c7
@roop
Set -DDEVELOPER_ID_DISTRIBUTION using xcconfig
9682947
@roop
Rename TunnelSystemExtension to TunnelExtension
9f8c346
@roop
SystemExtensionHelper: Fix alert on System Extension error
5852ff8
@roop
Remove unused files from project
343bba8
@roop
Move App Extension's Info.plist and entitlements to a separate directory
6bfd82c
@roop
SystemExtensionHelper: Import Cocoa
c5780c7
@roop
Xcode: Rename tunnel extension target for Developer ID
b01e54f
@roop
Create a LoginItemHelper-macOS-DeveloperID target
c53cdd6
@roop
Xcode: Reorder targets
649cf9a
@roop
Xcode project: Simplify LoginItemHelper product name
39a5bed
@roop
Xcode: Add LoginItemHelper as a dependency
e0f9c6b
@roop
Xcode project: Use separate entitlements for Developer ID Release builds
312f065 
Because when building for Developer ID release, we need to use the
entitlement values with a "-systemextension" suffix.
@roop
Xcode project: Use manual code signing for Developer ID Release builds
623fd1b 
For the "-macOS-DeveloperID" targets (app, tunnel, and loginitemhelper), for
release configuration, under Build Settings:

 - Change "Code Signing Style" to "Manual"
 - Change "Code Signing Identity" to "Developer ID Application"
roop added 14 commits February 15, 2023 20:05
@roop
Add create_eduvpn_installer_macos.sh script
f181f1f 
To help create the macOS installer package for a Developer ID release.
@roop
Add DEVELOPER_ID.md
79658ff
@roop
Better logging through os_log
0fdb451
@roop
Xcode: Fix xcconfigs
010df81 
-TunnelExtension and -LoginItemHelper xcconfigs were just duplicates.
@roop
Tunnel: Remove the exit() hack for the System Extension
bbc0319
@roop
For Dev ID Distribution, show a help view instead of the log
b716f4a 
We don't have a shared location between the app and the system
extension to write the log, so we instead rely on the OS-provided
unified logging.

So when the user clicks on "View Log", we show a view that shows
how to access the log using Console.app or log show.
@roop
Update DEVELOPER_ID.md
149a6ae
@roop
Pass password directly to the System Extension
db4a4dd 
In case of an App Extension, there's a shared Keychain we
can use to pass the password through.

In case of a System Extension, we don't have a shared
Keychain, so we just pass it directly.
@roop
macOS: Mention it's a Developer ID version in the About panel
f4b5b83
@roop
Update DEVELOPER_ID.md
50069fc
@roop
Scripts: Fix create_eduvpn_installer_macos.sh
198d68c
@roop
Update copyright year
9da10ee
@roop
Fix build for iOS
99a1aed
@roop
Update DEVELOPER_ID.md
0f320fd
@roop roop force-pushed the sysext branch 2 times, most recently from 75d5bf1 to 0f320fd Compare February 16, 2023 04:35
@roop
Copy link
Collaborator Author

roop commented Feb 16, 2023

Pushed 0f320fd to developer_id_distribution branch, so that @efef can try it out.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeroenleenarts jeroenleenarts Awaiting requested review from jeroenleenarts

@johankool johankool Awaiting requested review from johankool

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roop