App Wrapper 3.9 Beta 4, now with Hardened Runtime & Notarization

  1. 4 months ago

    Sam R

    Nov 5 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    Ladies and Gentlemen;
    Beta 4 of App Wrapper now includes the newly required "Hardened Runtime" option (which requires macOS 10.13.6 or newer) and Notarization (which also requires macOS 10.13.6 and Xcode 10).

    How to use:
    Run App Wrapper on 10.13.6 (or newer) with Xcode 10 installed, and there's a new option under the Code signature selector "Hardened runtime", make sure this is checked (although please test your application thoroughly after enabling this option as it applies new restrictions to the app).

    Once your application is wrapped, there is a new "Notarize" button in the wrapping window, click this button and your packages will be imported into the Notarizer window. From here you select an Apple Developer account (you may need to add your information first) and then click on "Submit".

    App Wrapper will then upload the packages and check for analysis results automatically. It will display some errors in the window and also confirmation of completion. If you click the action icon in the list, you can view the log, which will reveal more detailed information.

    It will automatically Notarize multiple packages (if you ship a DMG and installer package per say). While the uploads are synchronous (Apple don't seem to like multiple uploads at the same time), other functions are asynchronous. In fact, once it's completed uploading, you even let the machine go to sleep and come back and check the status later.

    It also supports manually adding of packages; so if you code sign yourself, but would like to use App Wrapper for Notarization, simply drag the packages in and set the version number & bundle identifier.

    This version of App Wrapper has been hardened and notarized by itself.

    http://www.ohanaware.com/appwrapper/appWrapper3update39Beta.dmg

    Please let me know how you get on and what issues you encounter, if you encounter any.

  2. Yves P

    Nov 6 Pre-Release Testers Europe, Germany, Konstanz

    Thank you for adding this to AppWrapper. Unfortunately this does not work for me.

    I am signing my app with "Packaging=None". After the wrapping process, I usually use the macOS DiskUtility to create an unsigned but compressed dmg to deliver my app. This worked fine and I did not see any advantage to sign the dmg too.

    Back to AppWarapper: After successfully wrapping my app, the click on "Notarize" brings this window:

    -image-

    How can I now notarize my app now?

    PS: A small bug: If you add an account that is already in the list, a keychain error occurs.

  3. Sam R

    Nov 6 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    Sorry I didn’t expalin how to manually add a package; drag your DMG or PKG into the Notarizer window.

    I haven’t tried it with an unsigned DMG, so let me know how that goes :)

  4. Christoph D

    Nov 6 Pre-Release Testers, Xojo Pro

    @Yves P This worked fine and I did not see any advantage to sign the dmg too.

    You are aware it is mandatory to sign the .dmg too for macOS 10.13 and higher?

  5. Sam R

    Nov 6 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    I’ve been thinking about this; and probably what I’ll do is adapt the manual submission function to include codesigning at that stage, it will save an extra step, and simplifies the process for people who use other packing tools than those included in App Wrapper.

  6. Yves P

    Nov 7 Pre-Release Testers Europe, Germany, Konstanz

    No luck when notarizing an unsigned .dmg or the app itself.

    -image-

    @Christoph Dnbsp;Vocht You are aware it is mandatory to sign the .dmg too for macOS 10.13 and higher?

    OK, but until now it worked for me without signing. Even on High Sierra and the current Mojave. I never had customer complaints about that. Do you know if there were any restrictions with an unsigned .dmg?

    @Sam R I’ve been thinking about this; and probably what I’ll do is adapt the manual submission function to include codesigning at that stage, it will save an extra step, and simplifies the process for people who use other packing tools than those included in App Wrapper.

    That would be really great! Otherwise I have to use .dmg canvas. I Think there are too many steps to create and sign the .dmg by hand.

  7. Sam R

    Nov 7 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Yves P No luck when notarizing an unsigned .dmg or the app itself.

    Notarization currently only supports DMG or PKG, so I am not surprised a .app doesnt work.

    @Yves P That would be really great! Otherwise I have to use .dmg canvas. I Think there are too many steps to create and sign the .dmg by hand.

    In App Wrapper, under the tools menu, there is a DMG signer option already; but what I propose will save you that step in the future :)

  8. Yves P

    Nov 7 Pre-Release Testers Europe, Germany, Konstanz
    Edited 4 months ago

    Great, my .dmg is now notarized. It worked with the included .dmg signer from AppWrapper and took about 4 minutes to finish. – No errors. :-)

  9. Sam R

    Nov 7 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Yves P Great, my .dmg is now notarized. It worked with the included .dmg signer from AppWrapper and took about 4 minutes to finish. – No errors. :-)

    Excellent news :)

  10. Philip C

    Nov 7 Pre-Release Testers, Xojo Pro Cooroy, QLD, Australia

    For uploads, need to prove an app specific password. Does that mean one needs to use Apple's methodology for initial upload and set up before using this function in AppWrapper?

  11. Sam R

    Nov 7 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Philip C For uploads, need to prove an app specific password. Does that mean one needs to use Apple's methodology for initial upload and set up before using this function in AppWrapper?

    In the tests that I’ve done; I’ve not set any specific passeords per application. And only used my code to upload.

  12. Jerry F

    Nov 12 Pre-Release Testers, Xojo Pro Florissant MO USA

    This is the log error I get when I try. This is after signing and hardening the app, then creating/signing the dmg with DMG Canvas. This is on 10.14.1 with Xcode 10.1. Command line utilities are installed (at least Homebrew is happy), so I don't know what I'm missing.

    11/12/18 5:12:02 PM StatusChanged: Ready to submit to Apple.
    11/12/18 5:12:07 PM StatusChanged: Queued for upload.
    11/12/18 5:12:07 PM StatusChanged: Uploading 11.1 MB to Apple...
    11/12/18 5:12:07 PM xcrun: error: unable to find utility "altool", not a developer tool or in PATH

    11/12/18 5:12:07 PM Unable to convert the upload response into a dictionary
    11/12/18 5:12:07 PM StatusChanged: Unable to process the result, please see the log

  13. Jerry F

    Nov 12 Pre-Release Testers, Xojo Pro Florissant MO USA

    Never mind--- sudo xcode-select --switch /Applications/Xcode.app fixed it :-)

  14. Sam R

    Nov 12 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Jerry F Never mind--- sudo xcode-select --switch /Applications/Xcode.app fixed it :-)

    Interesting; thanks for the information. Had you actually opened Xcode 10.1?

  15. Björn E

    Nov 13 Pre-Release Testers, Xojo Pro Iceland

    I had to also do that when I did my first Stamping about 2 weeks ago.

    @Sam R Interesting; thanks for the information. Had you actually opened Xcode 10.1?

    I had to also do that when I did my first Stamping about 2 weeks ago.

    So his case is definitely not one off case.

  16. Jerry F

    Nov 13 Pre-Release Testers, Xojo Pro Florissant MO USA

    Yes, I had opened Xcode some time before; it always does the "installing additional components" thing when I first do so. There is a chance I'm thinking of 10.0, and not 10.1.

    I did have to go to the Apple dev site, to create an application-specific password, for this to work, unlike (if I understand correctly) Sam's case. Also, at this moment I can only notarize .pkg files, as opposed to my customary .dmg. When I try with .dmg I get a "no mountable filesystems" error at the end of the process. I am using DMG Canvas, both separately and with AppWrapper integration; the template is set to default HFS+ case-insensitive. I can send the log if that would help.

  17. Sam R

    Nov 13 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Björn Eiríksson So his case is definitely not one off case.

    Intersting; I'll look into it ASAP.

    @Jerry Fritschle I did have to go to the Apple dev site, to create an application-specific password, for this to work, unlike (if I understand correctly) Sam's case.

    hmmm... I wonder what causes this; both App Wrapper and the other application are NOT on the App Store and I created a sample application specifically for testing this process and specifically didn't configure anything with Apple before hand. To basically see if I needed to complete this step or not; especially as the limited documentation didn't make it clear if setting an app password was required or not.

    You did sign it with a code signature that's registered to your Apple Developer account?

    @Jerry Fritschle I am using DMG Canvas, both separately and with AppWrapper integration; the template is set to default HFS+ case-insensitive. I can send the log if that would help.

    Yes, please. I want to keep this process as simple as possible, Maybe you can also give me a link to download your DMG so I can compare that with the App Wrapper DMG (which was accepted by Apple). Did you create the DMG on 10.14?

  18. Jerry F

    Nov 14 Pre-Release Testers, Xojo Pro Florissant MO USA

    The DMG was created on 10.14.1. My Apple Certificates are in order, per the Codesign Diagnostics in AppWrapper. What I believe to be the relevant part of the log is here:

    11/14/18 11:02:58 AM <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>notarization-info</key>
    <dict>
    <key>Date</key>
    <date>2018-11-14T17:01:19Z</date>
    <key>RequestUUID</key>
    <string>dfeecfa4-72eb-424a-8fdd-cb3c200a1239</string>
    <key>Status</key>
    <string>in progress</string>
    <key>Status Code</key>
    <integer>2</integer>
    <key>Status Message</key>
    <string>Package Invalid</string>
    </dict>
    <key>os-version</key>
    <string>10.14.1</string>
    <key>success-message</key>
    <string>No errors getting notarization info.</string>
    <key>tool-path</key>
    <string>/Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/Frameworks/ITunesSoftwareService.framework</string>
    <key>tool-version</key>
    <string>1.1.1138</string>
    </dict>
    </plist>

    11/14/18 11:02:58 AM StatusChanged: Analysis still in progress
    11/14/18 11:03:56 AM StatusChanged: Checking with Apple for analysis results...
    11/14/18 11:03:57 AM <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>notarization-info</key>
    <dict>
    <key>Date</key>
    <date>2018-11-14T17:01:19Z</date>
    <key>LogFileURL</key>
    <string>https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma118/v4/12/25/e5/1225e51f-196f-6dc1-24fb-eaeebf5d2f10/developer_log.json?accessKey=1542409437_2519063862023711622_O1xL1uEG4N5uR6G3d05nbiobxKchXTtE0DtqVQni1vq0zamCv7Miprt0VErMg6KRpXXrOCk4CHG4xwZuAs1JFaYoBSnmhYwLmKqusnxKpqD8DlHxT10SNVzHIhDo%2FPHuLQLvTfl9mNlZwJcVpQ6y9wcmelQgD5PJ27wbOFtVzKc%3D</string>
    <key>RequestUUID</key>
    <string>dfeecfa4-72eb-424a-8fdd-cb3c200a1239</string>
    <key>Status</key>
    <string>invalid</string>
    <key>Status Code</key>
    <integer>2</integer>
    <key>Status Message</key>
    <string>Package Invalid</string>
    </dict>
    <key>os-version</key>
    <string>10.14.1</string>
    <key>success-message</key>
    <string>No errors getting notarization info.</string>
    <key>tool-path</key>
    <string>/Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/Frameworks/ITunesSoftwareService.framework</string>
    <key>tool-version</key>
    <string>1.1.1138</string>
    </dict>
    </plist>

    11/14/18 11:03:57 AM Has a remote log, requesting that now
    11/14/18 11:03:57 AM StatusChanged: Package Invalid retrieving the remote log...
    11/14/18 11:03:58 AM Remote Log: {"logFormatVersion": 1, "jobId": "dfeecfa4-72eb-424a-8fdd-cb3c200a1239", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "Demo_FTProofsheet_Client.dmg", "uploadDate": "2018-11-14T17:01:19Z", "sha256": "39c38c87a8ed922f9359a404684c36535f3e14f5952a497dea06d05f00a32f2c", "ticketContents": null, "issues": [{"severity": "error", "code": null, "path": "Demo_FTProofsheet_Client.dmg", "message": "b'hdiutil: attach failed - no mountable file systems\\n'", "docUrl": null, "architecture": null}]}
    11/14/18 11:03:58 AM b'hdiutil: attach failed - no mountable file systems\n' in Demo_FTProofsheet_Client.dmg

  19. Jerry F

    Nov 26 Pre-Release Testers, Xojo Pro Florissant MO USA
    Edited 4 months ago

    I stepped away from this problem for awhile. As it happens, I wiped and restored my system in the meantime. That's a long story that had to do with Time Machine weirdness. Using the AppWrapper Beta, I notarized a .dmg installer (having, again, only succeeded with .pkg before) quite nicely.

    While I am not sure, it is possible that my problem before was that DMG Canvas was saving its .dmg file to my desktop, which syncs with iCloud Drive. I learned a long time ago not to code sign an app bundle living in iCloud (or DropBox), because of the weird things happening underneath. It had never bothered the code signing within DMG Canvas itself, but may have here, and this time I made sure of the file's location. I believe this hypothesis is more likely than somehow magically fixing something in my system wipe.

    Once again, because of the restore, I had to do "sudo xcode-select --switch (path to Xcode)" before it would work. And this time, I know that Xcode had been open and run previously.

  20. 3 months ago

    Gavin S

    Dec 10 Pre-Release Testers, Xojo Pro UK

    Hey Sam, the 3.9 beta has now expired. Just wondering if there was an update yet that I missed?

  21. Newer ›

or Sign Up to reply!