Conveyor updates for May

The May 2023 release (v9) simplifies releasing to the Microsoft store, better protects your root key when using a Mac, improves usability in various ways and contains the usual set of bug fixes.

Microsoft Store uploads

Conveyor can now release new versions to the store with the conveyor make ms-store-release command.

The Microsoft Store is a convenient way to distribute Windows apps because it lets you skip the expensive code signing process required for out-of-store distribution. For a one-off payment of $19 (or $99 for a company) you can release as many apps as you like. Compare that to the cost of a code signing certificate at several hundred dollars per year and that’s probably why support for the Microsoft Store sits at the top of our most voted issues.

Releasing through the store has some other advantages, like:

  • Beta testing and gradual rollouts.
  • Integrated billing for commercial apps.
  • Private stores for an organization’s internal apps.
  • Support for usage/crash reporting.
  • A relatively relaxed approach to app approvals.

You’ll need to do a bit of setup to ensure Conveyor can connect to the store API, the first release has to be done manually due to Microsoft API policy and at this time aggressive updates aren’t supported. But after that you can do regular releases.

Key protection on macOS

Conveyor can now store the root key in the macOS keychain, ensuring that if you accidentally run some malware then your code signing keys will remain safe. New keys are created in the keychain by default. Existing keys can be migrated by using the conveyor keys migrate-to-keychain command.

Here’s a bit about how this works. When an app is started up the kernel verifies the code signatures on the app. This identity is then available to any service with which the app communicates using the built-in IPC mechanism (XPC). The keychain API speaks to a daemon that stores the key material in a protected area of disk that apps aren’t allowed to access. Individual keychain items have access control lists that are viewable in the Keychain Access app, which list out the apps that can access those items. The kernel also prevents apps from tampering with other app’s memory or files, ensuring that one app can’t impersonate or take over another.

Conveyor stores the root key in the same words-and-date form as used in the regular config file, so rather than being stored as a private key item (which requires it to be exactly one key) it’s stored as a password. This same technique is used by web browsers to store the encryption keys for their cookie store.

Usability improvements

In each release we make Conveyor friendlier and add more safety checks. In this release:

  • Inputs are now required by default for projects with conveyor.compatibility-level >= 9 (i.e. new projects and those where you explicitly updated the config). This ensures you can’t accidentally package an app that’s missing important files. Inputs that are meant to be optional can now be marked as such explicitly. Optional inputs can be useful when writing generic config that is meant to apply to different apps with different resources.
  • Conveyor now verifies that the min macOS version required by individual binaries is consistent with the min version advertised in the Info.plist file. This can catch mistakes where you think you are targeting a certain older macOS version but incorporate code that has a higher requirement.
  • The output when there’s no connected terminal is now less verbose (e.g. for CI builds).
  • You can now disable compression for Windows and Mac zips, not just Linux packages. This can make iteration faster.
  • JVM apps now place JARs on the classpath by default instead of trying to place explicit modules on the module path. This should avoid issues with broken module graphs that don’t resolve properly or that include auto-modules.
  • Certificates that are close to expiry now generate a warning reminding you to renew.

Finally, an automatic crash reporter was added. This lets you easily submit logs to us for analysis if something goes wrong.

Upgrade today!

The simplest way to get the new version is by running the app from the GUI and clicking “Check for upgrade”, or using apt-get upgrade if you installed via the debs. Let us know how you find it!