From 0e34ced34f06f1ff5be3554917847f63c7bb3505 Mon Sep 17 00:00:00 2001 From: Heitor Neiva Date: Wed, 12 Oct 2022 16:48:38 -0700 Subject: [PATCH] Added apple docs --- apple/certificates.md | 21 +++++++++++++++++++++ apple/index.rst | 21 +++++++++++++++++++++ apple/provisioning_profiles.md | 6 ++++++ apple/user_access.md | 19 +++++++++++++++++++ index.rst | 1 + 5 files changed, 68 insertions(+) create mode 100644 apple/certificates.md create mode 100644 apple/index.rst create mode 100644 apple/provisioning_profiles.md create mode 100644 apple/user_access.md diff --git a/apple/certificates.md b/apple/certificates.md new file mode 100644 index 0000000..5deac6f --- /dev/null +++ b/apple/certificates.md @@ -0,0 +1,21 @@ +# Apple Certificates + +Apple docs: https://developer.apple.com/support/certificates/ + +The process to create a new certificate signing request can be found here: +https://help.apple.com/developer-account/#/devbfa00fef7 + +Instructions on how to issue new certs: +https://mana.mozilla.org/wiki/pages/viewpage.action?spaceKey=RelEng&title=Signing#Signing-OSX&iOSSigning + +### Notes +1. There's a limited amount of `Apple Distribution`, `Developer ID Installer`, +`Developer ID Application`, `iOS App Development` (and possibly others) that can +be issued and valid at the same time. +**BE EXTREMELY CAREFUL WITH ISSUED CERTIFICATES.** + +1. `App Managers` with `Access to Certificates, Identifiers & Profiles` are able +to issue production level certificates. We should avoid giving out this type of +access. + +1. If we migrate to autograph/rcodesign, we won't need to hold the certificate in a keychain diff --git a/apple/index.rst b/apple/index.rst new file mode 100644 index 0000000..5e62886 --- /dev/null +++ b/apple/index.rst @@ -0,0 +1,21 @@ +Apple Developer Portal +====================== + +Apple developer portal can be accessed at https://developer.apple.com. +Credentials can be found in the RelEng SOPS under apple-accounts.yml + +____ +Bitrise: https://app.bitrise.io/users/sign_in. + +Access given via ldap group in conjunction to a Bitrise account. +____ + + +Contents: + +.. toctree:: + :maxdepth: 2 + + certificates.md + user_access.md + provisioning_profiles.md diff --git a/apple/provisioning_profiles.md b/apple/provisioning_profiles.md new file mode 100644 index 0000000..17443e1 --- /dev/null +++ b/apple/provisioning_profiles.md @@ -0,0 +1,6 @@ +# Provisioning Profiles + +Production profiles are used when developers want to bypass notarization. + +Development profiles include a list of devices, where the application will be +able to install and run without a production-level signing process. diff --git a/apple/user_access.md b/apple/user_access.md new file mode 100644 index 0000000..cb52e4d --- /dev/null +++ b/apple/user_access.md @@ -0,0 +1,19 @@ +# Apple Account User Access + +All mozilla apple (mac/iOS) developers will need an apple account. We should try +as much as possible only give out permissions to their @m.c accounts. Personal +accounts should be avoided in case the developer leaves the company and we don't +delete the apple account. + +## Permissions +Roles are confusing! + +An user with `Developer` Role, and +`Access to Certificates, Identifiers & Profiles` will only be able to access +development-level items. **The majority of developers will want this combination.** + +`App Managers` with `Access to Certificates, Identifiers & Profiles` will be able +to issue production-level certificates. **It is very unlikely that we should +allow this type of access. Make sure the user understands this risk.** + +Sales, Marketing and Finance users will likely want `Access to Reports`. diff --git a/index.rst b/index.rst index 6e2442f..b10ea0d 100644 --- a/index.rst +++ b/index.rst @@ -50,6 +50,7 @@ Contents: machine-users.rst troubleshooting.rst gecko_tests/index.rst + apple/index.rst .. toctree:: :caption: Meta