10.14 Hardened Runtime and App Notarization

  1. ‹ Older
  2. 8 weeks ago

    Travis H

    Oct 19 Pre-Release Testers, Xojo Pro

    Here is what seems to have worked for me for a Xojo app distributed via a signed DMG.

    1. Open the Application Loader developer tool in Xcode. Log in to your developer account and check the box to remember the login so a keychain entry is created. This allows you to skip entering your password in subsequent steps.

    2. Code sign your app with the hardened runtime option (you may need entitlements if you are accessing any protected resources). For example:

    $ codesign --force --options runtime --deep --sign "Developer ID Application: COMPANYNAME" MYAPP.app

    3. Bundle the app into a signed DMG for distribution. Steps omitted.

    4. Upload the signed DMG for notarization:

    $ xcrun altool --notarize-app -f MYAPP.dmg --primary-bundle-id MYBUNDLEID -u MYAPPLEID -p @keychain:"Application Loader: MYAPPLEID"

    5. A RequestUUID is returned. Periodically check the status of the notarization until it has completed:

    $ xcrun altool --notarization-info REQUESTUUID -u MYAPPLEID -p @keychain:"Application Loader: MYAPPLEID"

    6. When the notarization is complete, staple the ticket to the DMG:

    $ xcrun stapler staple -v MYAPP.dmg

    7. After installing your app, verify that it is notarized:

    $ spctl -a -v /Applications/MYAPP.app
    MYAPP.app: accepted
    source=Notarized Developer ID
  3. Thom M

    Oct 19 Pre-Release Testers Greater Hartford Area, CT

    @ChristianSchmitz I thought this is all optional for now, so not a reason to worry for now?
    And later we probably get someone to write a tool to do all the steps for Xojo apps without Xcode, e.g. using command line.

    Probably becoming required sooner than expected: https://www.idownloadblog.com/2018/10/19/gatekeeper-future-macos-notarized/

  4. Thom M

    Oct 19 Pre-Release Testers Greater Hartford Area, CT

    @Tim J I used to be a big security advocate, but this is not security. It just defines an additional, yet indirect effort by Apple to lock other players out of the app game. The only good news is that they have still provided a mechanism for the end user to turn the requirement of that "feature" off.

    11 of our largest clients are seriously examining Windows and Linux for large scale Mac replacements for FY 19 just because of things like this compounding the issues that heir IT teams had to deal with in the moves to 10.11 and 10.13 already.

    I know this is a necro'd thread, but here's the deal with notarization. When you distribute through the app store, Apple scans your app for certain behaviors and automatically rejects before going to a human for review. The Developer ID program is good, but has no such protection. Malware can be signed and distributed outside the app store. Notarization combines the two. Users get the benefit of binaries that have been pre-scanned by Apple, while developers don't have to distribute via the app store.

    It's not about locking anybody out. Well... except for malware developers.

  5. Christoph D

    Oct 19 Pre-Release Testers, Xojo Pro

    @Thom M Probably becoming required sooner than expected: https://www.idownloadblog.com/2018/10/19/gatekeeper-future-macos-notarized/

    Yeah, I also read it somewhere else. This is rumoured for macOS 10.14.1 , but my guess it will be for 10.14.2

    Guess Sam has some work to do with AppWrapper. ;-) ;-) ;-)

  6. Thom M

    Oct 19 Pre-Release Testers Greater Hartford Area, CT

    @Christoph Dnbsp;Vocht Yeah, I also read it somewhere else. This is rumoured for macOS 10.14.1 , but my guess it will be for 10.14.2

    Guess Sam has some work to do with AppWrapper. ;-) ;-) ;-)

    I don't think that soon. 10.15 or 10.16 is more likely. There's too many legacy apps to make the switch that quickly. You should start preparing your apps for the possibility, but it's not "sound the alarm" stage yet.

  7. Jeff T

    Oct 19 Midlands of England, Europe

    Sounds like a lot of work. :(
    I have several commercial apps.
    One comes in 3 flavours and a demo
    I have been known to release an update per month.

    7 notarisation sessions a month?
    Ewww

  8. Thom M

    Oct 19 Pre-Release Testers Greater Hartford Area, CT

    @Jeff T Sounds like a lot of work. :(
    I have several commercial apps.
    One comes in 3 flavours and a demo
    I have been known to release an update per month.

    7 notarisation sessions a month?
    Ewww

    Only you can best decide how to adapt your strategy, but maybe it makes sense to consolidate where possible? Rather than that one app coming in 4 editions, maybe the differences get handled by licensing so you only need to make a single build per update? Just an idea.

    If Apple is going down this path, then we have to adapt. That'll be easier for some than others.

  9. Dave S

    Oct 19 San Diego, California USA
    Edited 8 weeks ago

    email from Apple as of 3:30pm 19-Oct-2018

    Dear R.David Sisemore,

    macOS Mojave is here. Give Mac users even more confidence in your software distributed outside the Mac App Store by submitting it to Apple to be notarized. When users on macOS Mojave first open a notarized app, installer package, or disk image, they’ll see a more streamlined Gatekeeper dialog and have confidence that it is not known malware.

    Download Xcode 10 and submit your software today. In an upcoming release of macOS, Gatekeeper will require Developer ID–signed software to be notarized by Apple.

    Learn about getting your software notarized

    If you have any questions, contact us.

    Best regards,
    Apple Developer Relations

  10. Thom M

    Oct 19 Pre-Release Testers Greater Hartford Area, CT

    @Dave S email from Apple as of 3:30pm 19-Oct-2018

    That's exactly the email referenced in the iDownloadBlog story from above.

  11. Christoph D

    Oct 19 Pre-Release Testers, Xojo Pro

    @Thom M That's exactly the email referenced in the iDownloadBlog story from above.

    Apple today did sent a mail to every developer the next release will gave this requirement.
    It is (sadly) comming sooner.

  12. Thom M

    Oct 19 Pre-Release Testers Greater Hartford Area, CT

    @Christoph Dnbsp;Vocht Apple today did sent a mail to every developer the next release will gave this requirement.
    It is (sadly) comming sooner.

    The email just says “upcoming” which is very non-specific.

  13. Sam R

    Oct 19 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Christoph Dnbsp;Vocht Guess Sam has some work to do with AppWrapper. ;-) ;-) ;-)

    Sitting in the corner working away, with curse words leaking from one's mouth... "Will I ever get this gorram app finished?"
    He picks up the source code and throws it on the floor, standing up reaches for his smokes...

  14. Tony B

    Oct 19 Pre-Release Testers, Xojo Pro Sydney, Australia

    You realise @Sam R that if you crack this one, every Xojo licence will need your helper app to run. I already have AppWrapper and rely on it. AppWrapAndNotarise will be as essential as MBS.

    Regards,
    Tony Barry

  15. Björn E

    Oct 19 Pre-Release Testers, Xojo Pro Iceland
    Edited 8 weeks ago

    I just managed to staple our Registrator App, it was not all that bad to get it done, just few console commands.

    You get confirmation from the iTunes Store when it works I guess:

    Dear Björn,

    Your Mac software (bundle identifier com.einhugur.registrator) has been notarized. You can now export this software and distribute it directly to users.

  16. Beatrix W

    Oct 19 Pre-Release Testers Europe (Germany)

    Absolutely lovely. How long does the xcrun stuff take to run?

  17. Jeff T

    Oct 19 Midlands of England, Europe

    @Christoph Dnbsp;Vocht Guess Sam has some work to do with AppWrapper. ;-) ;-) ;-)

    We don't ask Sam to handle App Store Submission.
    This looks similar to me, bar the distributing via the App Store.

  18. Björn E

    Oct 19 Pre-Release Testers, Xojo Pro Iceland

    @Beatrix W Absolutely lovely. How long does the xcrun stuff take to run?

    Took less than a minute once I had realised how. I guess it mostly depends on the size of the application and your upload link.

  19. Björn E

    Oct 19 Pre-Release Testers, Xojo Pro Iceland
    Edited 8 weeks ago

    Here is how if someone needs to know how:

    1. The Application and DMG was already signed by using Sam's excellent App wrapper.

    2. Make App-Specific Password (yes there is such a thing I had never heard of it before, you make them at https://appleid.apple.com. Give it any name and it will generate a key for you.

    3. Sign your App using terminal (you need your bundle identifier here, your Apple ID and your App password that you made in step 2)
    xcrun altool -t osx -f /Users/bjorneiriksson/Desktop/Registrator_8_0_3_\(64bit\).dmg --primary-bundle-id com.einhugur.registrator --output-format xml --notarize-app --username <yourappleidhere> --password <yourappspecificpasswordhere>

    4. Stapple the Application using terminal:
    xcrun stapler staple /Users/bjorneiriksson/Desktop/Registrator_8_0_3_\(64bit\).dmg

    That gives you output like this if everything worked:

    Processing: /Users/bjorneiriksson/Desktop/Registrator_8_0_3_(64bit).dmg
    Processing: /Users/bjorneiriksson/Desktop/Registrator_8_0_3_(64bit).dmg
    The staple and validate action worked!

    Now I did have problem first where the altool was not connected correctly to my Dev tools.

    If you have that problem then you do (you need to sudo this one):
    sudo xcrun xcode-select -s /Applications/Xcode.app

  20. Thom M

    Oct 19 Pre-Release Testers Greater Hartford Area, CT

    @Björn Eiacute;ksson Make App password

    You mean an "App-Specific Password" right?

  21. Björn E

    Oct 19 Pre-Release Testers, Xojo Pro Iceland
    Edited 8 weeks ago

    @Thom M You mean an "App-Specific Password" right?

    Yes

  22. Newer ›

or Sign Up to reply!