Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/tools/fleetctl-docker/README.md
Andrea Scarpino 0758c19b44
Fix notarization after latest Apple changes (#23843) 
Notarization from the fleetctl-docker image is broken actually:

```
fleetctl package --type=pkg --fleet-url=myurl --enroll-secret=mysecret --macos-devid-pem-content=XYZ --notarize --app-store-connect-api-key-id=XYZ --app-store-connect-api-key-issuer=XYZ --app-store-connect-api-key-content=XYZ
[..]
transporter error> Package Summary:
transporter error>  
transporter error> 1 package(s) were not uploaded because they had problems:
transporter error> 	/tmp/apple-codesign-QAsKT8/17081d03-fdc8-46cd-873a-2970f7be9c7c.itmsp - Error Messages:
transporter error> 		Notarization of MacOS applications using altool has been decommissioned. Please use notarytool. See: https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool (4200)
transporter error> [2024-11-15 13:35:47 UTC] <main> DBG-X: Returning 1
Error: I/O error: command ["/usr/local/bin/iTMSTransporter", "-m", "upload", "-apiIssuer", "XYZ", "-apiKey", "XYZ", "-f", "/tmp/apple-codesign-QAsKT8/17081d03-fdc8-46cd-873a-2970f7be9c7c.itmsp", "-vp", "json"] exited with code 1

Error: rcodesign notarize: exit status 1
```

Luckily, bumping `rcodesign` version is enough to make it work again.

# Checklist for submitter

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2025-04-04 16:53:39 -03:00

57 lines
1.8 KiB
Markdown
Raw Blame History

## fleetdm/fleetctl
This docker image allows to run `fleetctl` in a Linux environment that has all
the necessary dependencies to package `msi`, `pkg`, `deb` and `rpm` packages.
### Usage
```
docker run fleetdm/fleetctl command [flags]
```
Build artifacts are generated at `/build`. To get a package using this image:
```
docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi
```
### Building
This image needs to be built from the root of the repo in order for the build
context to have access to the `fleetctl` binary. To build the image, run:
```
make fleetctl-docker
```
#### macOS signing + notarization
To sign and notarize a generated `pkg` you must have:
1. A Developer ID Application certificate in PEM format
2. An Apple Store Connect API key with App Manager access
> Note: the Developer ID certificate must be in PEM format because this image
> can be run in automated environments where secrets are passed via environment
> variables, and thus they must be in plain text.
>
> To convert a DER (.cer) certificate to PEM, you can run the following command:
>
> ```
> openssl x509 -inform der -outform pem -in developerID_application.cer -out developerID_application.pem
> ```
Once you are set, you can build and notarize/staple your package with:
```
docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=pkg \
--macos-devid-pem-content="$(cat /path/to/signing-keypair.pem)" \
--notarize \
--app-store-connect-api-key-id="A6DX865SKS" \
--app-store-connect-api-key-issuer="68911d4c-110c-4172-b9f7-b7efa30f9680 " \
--app-store-connect-api-key-content="$(cat /path/to/AuthKey_A6DX865SKS.p8)"
```
### Publishing
There's a GitHub workflow to build and publish this image to Docker Hub, currently it has to be triggered [manually](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow).
Reference in a new issue View git blame Copy permalink