Update certificate for macOS build (& fix notarization)

[holmesworcester]

From Apple:

Your Distribution Certificate will no longer be valid in 30 days. To generate a new certificate, sign in and visit Certificates, Identifiers & Profiles.

I'm pretty sure this is the macOS certificate we use for avoiding warnings on macOS. We should update this ASAP.

Let me know if you need access to this area.

[holmesworcester]

@kingalg are you seeing any problems with Gatekeeper warnings when doing a fresh install on Mac OS?

@siepra did this get updated?

[kingalg]

@holmesworcester no problems or unexpected messages on my side.

[holmesworcester]

Got a report from a user of:

Our own devices won't be a reliable view of this, apparently.

[siepra]

Isn't it just the fact that people download Quiet from source other than App Store? The solution is to click "Show in Finder", then ctrl+click the Quiet icon and choose "open"

[holmesworcester]

Isn't it just the fact that people download Quiet from source other than App Store? The solution is to click "Show in Finder", then ctrl+click the Quiet icon and choose "open"

That is a possible workaround but it's not what users typically have to do. Try downloading Spotify or Slack, e.g., and you'll see that this is not necessary, because the app is properly signed.

We've been doing this for years as well. When the warning shows, installation is effectively blocked for typical users, who do not know the workaround, so it's a serious bug if it's not signed correctly.

Documentation here: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution

[siepra]

What version did the user try to run?
Here is a commit of Barteks' for fixing notarization 1d98ec3
It should be fine since version 1.9.6 (2.0.2-alpha.0)

[holmesworcester]

There are two separate issues:

1. Altool deprecation
2. Certificate expiration

This issue is for the second, which I believe is the problem here.

The user was installing from the website.

[siepra]

I don't think it's the second case as all our certificates are valid

[siepra]

@Kacper-RF spotted an error trying to notarize the app last time (it was easy to miss as it didn't interrupt the job).
We pushed a fix for configuration and started the build https://github.com/TryQuiet/quiet/pull/2078/files

[holmesworcester]

What a weird situation. Apple's warning makes it sound like action is required. Does every release involve getting a new certificate?

Either way, let's confirm on a fresh account that the app is properly notarized before considering this complete.

Also, can we make it so that the build process fails if notarization fails, so that we will definitely notice, rather than releasing a version with broken notarization?

[siepra]

Does every release involve getting a new certificate? - no, a certificate have it's expiration date after which it must be renewed

[siepra]

I don't know how to make electron-builder stop in case of notarization fail @EmiM @vinkabuki you're more familiar with electron-builder, do you have any thoughts?

EDIT: maybe this will do (getting rid of try catch) #2081