Add comments about how the notarization process works

2021-12-13 21:18:19 -08:00 · 2021-12-13 21:18:19 -08:00 · 8fe7aab673
parent 18d19dac16
commit 8fe7aab673
1 changed files with 9 additions and 0 deletions
--- a/common/arch/macos/notarize_dxx_bundles.zsh
+++ b/common/arch/macos/notarize_dxx_bundles.zsh
@ -118,6 +118,15 @@ if [[ ! -f "${DXX_TMP_ZIP_PATH}" ]]; then
  exit 1
 fi

+# Note that the notarization process does NOT change the app bundle or the ZIP file.
+# Instead, Apple reads the signature associated with the submitted resources and, if
+# they don't detect any malicious code, create a ticket on their side that can be
+# requested by a macOS client for the specific resource that was signed in order to
+# validate that it went through the notarization process.  This ticket can also be
+# stapled to the app bundle for offline validation by macOS clients which are not
+# connected to the Internet at the time.  This stapling process happens further in
+# the script.
+
 echo "Beginning notarization process.  This may take a few minutes."

 if [[ -z "${notarization_keychain_profile}" ]]; then