Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/tools/fleetctl-docker/README.md
Andrea Scarpino 0758c19b44
Fix notarization after latest Apple changes (#23843) 
Notarization from the fleetctl-docker image is broken actually:

```
fleetctl package --type=pkg --fleet-url=myurl --enroll-secret=mysecret --macos-devid-pem-content=XYZ --notarize --app-store-connect-api-key-id=XYZ --app-store-connect-api-key-issuer=XYZ --app-store-connect-api-key-content=XYZ
[..]
transporter error> Package Summary:
transporter error>  
transporter error> 1 package(s) were not uploaded because they had problems:
transporter error> 	/tmp/apple-codesign-QAsKT8/17081d03-fdc8-46cd-873a-2970f7be9c7c.itmsp - Error Messages:
transporter error> 		Notarization of MacOS applications using altool has been decommissioned. Please use notarytool. See: https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool (4200)
transporter error> [2024-11-15 13:35:47 UTC] <main> DBG-X: Returning 1
Error: I/O error: command ["/usr/local/bin/iTMSTransporter", "-m", "upload", "-apiIssuer", "XYZ", "-apiKey", "XYZ", "-f", "/tmp/apple-codesign-QAsKT8/17081d03-fdc8-46cd-873a-2970f7be9c7c.itmsp", "-vp", "json"] exited with code 1

Error: rcodesign notarize: exit status 1
```

Luckily, bumping `rcodesign` version is enough to make it work again.

# Checklist for submitter

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2025-04-04 16:53:39 -03:00

1.8 KiB
Raw Blame History

fleetdm/fleetctl

This docker image allows to run fleetctl in a Linux environment that has all the necessary dependencies to package msi, pkg, deb and rpm packages.

Usage

docker run fleetdm/fleetctl command [flags]

Build artifacts are generated at /build. To get a package using this image:

docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi

Building

This image needs to be built from the root of the repo in order for the build context to have access to the fleetctl binary. To build the image, run:

make fleetctl-docker

macOS signing + notarization

To sign and notarize a generated pkg you must have:

  1. A Developer ID Application certificate in PEM format
  2. An Apple Store Connect API key with App Manager access

Note: the Developer ID certificate must be in PEM format because this image can be run in automated environments where secrets are passed via environment variables, and thus they must be in plain text.

To convert a DER (.cer) certificate to PEM, you can run the following command:

openssl x509 -inform der -outform pem -in developerID_application.cer -out developerID_application.pem

Once you are set, you can build and notarize/staple your package with:

docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=pkg   \
  --macos-devid-pem-content="$(cat /path/to/signing-keypair.pem)" \
  --notarize \
  --app-store-connect-api-key-id="A6DX865SKS" \
  --app-store-connect-api-key-issuer="68911d4c-110c-4172-b9f7-b7efa30f9680 " \
  --app-store-connect-api-key-content="$(cat /path/to/AuthKey_A6DX865SKS.p8)"

Publishing

There's a GitHub workflow to build and publish this image to Docker Hub, currently it has to be triggered manually.