FYI: Notarizing Your App Before Distribution (macOS 10.14.5 and beyond)

  1. ‹ Older
  2. 2 weeks ago

    Beatrix W

    Apr 11 Pre-Release Testers Europe (Germany)

    @Sam Rowlands: you are doing something wrong :-) . My favourite application besides Xojo is unsigned and runs fine on Mojave.

    However, I still get occasional reports about my app being in Translocation mode and the app asking every time if it should be opened.

  3. Michel B

    Apr 12 Pre-Release Testers RubberViews.com

    Sam, I have a question related to App Wrapper : it offers to notarize the app itself, while DMG Signer does not.

    Confused...

  4. Christoph D

    Apr 12 Pre-Release Testers, Xojo Pro

    @Michel B Sam, I have a question related to App Wrapper : it offers to notarize the app itself, while DMG Signer does not.

    Confused...

    With Appwrapper you need to do two steps:

    • Codesign your app with the Notarize option enabled.
    • Create your .dmg file (with above codesigned app) and drop it into the DMG signer of Appwrapper. This will upload it to the Apple server to notarize it. This sometimes can take a long time, so be patient.

    @Sam - you need to add .zip support for the DMG signer module in Appwrapper. ;-)

  5. Christoph D

    Apr 12 Pre-Release Testers, Xojo Pro
    Edited 2 weeks ago

    Important side note:

    What if you want to distribute your app with a .dmg and .zip (for example with a updater tool line Kagi)?
    In that case you need to notarize the dmg and zip separately.
    Basically, this would mean the same app has 2 notarized approved release IDs. That may trigger an issue when macOS verifies the app on their server.

  6. Thom M

    Apr 12 Pre-Release Testers Greater Hartford Area, CT

    @Christoph Dnbsp;Vocht Important side note:

    What if you want to distribute your app with a .dmg and .zip (for example with a updater tool line Kagi)?
    In that case you need to notarize the dmg and zip separately.
    Basically, this would mean the same app has 2 notarized approved release IDs. That may trigger an issue when macOS verifies the app on their server.

    It won’t. Notarization does not replace previous results.

  7. Kevin G

    Apr 12 Pre-Release Testers, Xojo Pro Gatesheed, England

    I performed some basic tests earlier this week using terminal and here are my findings (so far):
    1. 64 Bit apps built with Xojo 2017r3 seem okay.
    The apps contained MBS plugins v18.1, Einhuger plugins from 2018 and various other plugins.

    2. I could notarize code signed apps that were submitted in a zip and code signed apps in a code signed dmg

    3. Stapling
    a) Zip Files
    You don't staple zip files. You actually staple the applications that you put into the zip files. Stapling an application seemed to add a CodeResources file into the package contents folder. I think you would then add the stapled apps to a new zip file for deployment (if that is even possible these days).

    b) dmg Files
    Stapling didn't seem to add the CodeResource files into the application package. My guess is that it is modifying some kind of header in the DMG itself.

    What I haven't been able to determine is if it is safe to put notarized apps into a disk image that is code signed but not notarized. One reason to do this would be if your disk image also contained a lot of content. Sending GBs of data to Apple for the sake of 100MB of executable code seems very inefficient. My gut feeling is this won't be allowed and GateKeeper will complain at the point of mounting a non-notarized disk image. This possibly means that apps will have to download their content on first run.

  8. @Thom M On the other hand, those currently distributing as a zip will need to switch to DMG.

    For now, I create .dmg files that will be zipped before uploading to the web site.

    This probably will result in the zip process being omitted and only the unzipped .dmg file being offered on the web site?

  9. Thom M

    Apr 12 Pre-Release Testers Greater Hartford Area, CT

    @Detlef K For now, I create .dmg files that will be zipped before uploading to the web site.

    While it looks like I was wrong about needing to switch to dmg, I have to ask, why are you compressing the dmg? They’re already compressed, there is nothing to be gained by doing that.

  10. Sam R

    Apr 12 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan
    Edited 2 weeks ago

    @Beatrix W @Sam Rowlands: you are doing something wrong :-) . My favourite application besides Xojo is unsigned and runs fine on Mojave.

    That's good to know; I guess I'll have to purge 10.14 from it and re-install.

    @Christoph Dnbsp;Vocht What if you want to distribute your app with a .dmg and .zip (for example with a updater tool line Kagi)?
    In that case you need to notarize the dmg and zip separately.

    Firstly, I would recommend considering the Apple installer as part of the update process. It adheres to Apple's current security underpants and has the added advantage that it WILL replace your application where-ever it is on the hard disk.

    Secondly; from my understanding of the documentation, stapling is not actually required. When a Notarized application is launched, the macOS phones home to check the security of the application. What stapling does is attaches a sorta security badge (on top of all the other security protocols applied), which is used in that moment. The macOS will still phone home, it just doesn't prevent you from launching the application until it's gotten a response.

    Now; the biggest problem with Notarization, is not that Apple doesn't trust us 3rd Party developers, nor that they look at the byte code of your application to determine what it's doing, it's the "Hardened Runtime". This applies a far stricter set of security rules to the application, that has already caused some developers to have to remove features from their apps. So PLEASE PLEASE make sure you thoroughly test your application once it's been code signed.

    p.s. You probably want to make sure that you don't have any function names that Apple might take offense to, I know of one developer who got into trouble because Apple didn't like his function names and thought he was doing something suspicious.

  11. Christoph D

    Apr 12 Pre-Release Testers, Xojo Pro

    @Christoph Dnbsp;Vocht With Appwrapper you need to do two steps:

    • Codesign your app with the Notarize option enabled.
    • Create your .dmg file (with above codesigned app) and drop it into the DMG signer of Appwrapper. This will upload it to the Apple server to notarize it. This sometimes can take a long time, so be patient.

    @Sam - you need to add .zip support for the DMG signer module in Appwrapper. ;-)

    I made a mistake with the DMG Signer of AppWrapper. I meant the Notarize interface instead. Sorry about the confusion.

  12. 4 days ago

    Richard G

    Apr 21 Pre-Release Testers Atlanta, GA

    I'm reading through this, and wondering, I'm within a week or two releasing an update to my app. I sandbox for the MAS and add I add the Gatekeeper stuff for non-MAS sales. I use Sam's AppWrapper and works well for me. So, today, what do I need to do to notarize my app if I choose to? That bit is confusing me.

    Thanks, Richard

  13. Christian S

    Apr 21 Pre-Release Testers, Xojo Pro, XDC Speakers Germany

    see my blog article:
    https://www.mbsplugins.de/archive/2018-11-02/Notarize_apps_for_MacOS

    I just run the command line from point 6 and than later the step 8 for my app.
    You need to use your own bundle identifier and login of course.

  14. Gavin S

    Apr 21 Pre-Release Testers, Xojo Pro UK

    @Richard G I'm reading through this, and wondering, I'm within a week or two releasing an update to my app. I sandbox for the MAS and add I add the Gatekeeper stuff for non-MAS sales. I use Sam's AppWrapper and works well for me. So, today, what do I need to do to notarize my app if I choose to? That bit is confusing me.

    Not much more to do, assuming you're on the latest version of AppWrapper. You're already successfully signing the app with your Developer ID using AppWrapper. To notarize, just wrap as normal and hit the Notarize button that appears when wrapping is done. AppWrapper will send your app off and check on the result, which is also emailed to you. It only takes 2 or 3 minutes.

    There's no reason to wait until launch day to try it either, it's an automated process at Apple's end, not a review, so you can resubmit builds to be notarized as you see fit.

    -image-

  15. Richard G

    Apr 21 Pre-Release Testers Atlanta, GA

    Thanks Gavin,

    I have an active support plan and on v3.8.8, it shows no updates available but I don't see the notarize button. I'll reach out to Sam when I have time. Appreciate the response.

    Thanks, Richard

  16. Gavin S

    Apr 21 Pre-Release Testers, Xojo Pro UK

    @Richard G Thanks Gavin,

    I have an active support plan and on v3.8.8, it shows no updates available but I don't see the notarize button. I'll reach out to Sam when I have time. Appreciate the response.

    There was a beta of AppWrapper 3.9 but the download link seems to be no longer active. I'm sure Sam can help you out (although I know that he's nearing the end of a project with only a few days to go).

    https://forum.xojo.com/50953-app-wrapper-3-9-beta-4-now-with-hardened-runtime-notarization/0

  17. @Thom M While it looks like I was wrong about needing to switch to dmg, I have to ask, why are you compressing the dmg? They’re already compressed, there is nothing to be gained by doing that.

    Nice question, thanks for the reply. I've checked the files, but when I compare the .dmg and its zipped counterpart, most of my Xojo compiled projects wrapped into a .dmg file become much smaller when zipped, probably 'cause they contain a large number of graphical files.

  18. 3 days ago

    Beatrix W

    Apr 21 Pre-Release Testers Europe (Germany)

    @Detlef Kahner:
    a) you should make your graphics as small as possible anyways. https://imageoptim.com/mac or similar.
    b) dmg also has compression.

  19. Tim S

    Apr 22 Canterbury, UK

    @Detlef K Nice question, thanks for the reply. I've checked the files, but when I compare the .dmg and its zipped counterpart, most of my Xojo compiled projects wrapped into a .dmg file become much smaller when zipped, probably 'cause they contain a large number of graphical files.

    You may have the flag set that strips out the 32-bit libraries during wrapping.

  20. Tim S

    Apr 22 Canterbury, UK

    @Beatrix W @Detlef Kahner:
    a) you should make your graphics as small as possible anyways. https://imageoptim.com/mac or similar.
    b) dmg also has compression.

    I couldn't see a way in Disk Utility to get an HFS+ dmg along with compression. Not under High Sierra, anyway.

  21. Beatrix W

    Apr 22 Pre-Release Testers Europe (Germany)
    Edited 3 days ago

    @Tim Streater: in DropDMG there are several options for compression. Not sure how these translate into Disk Utility.

    -image-

    German translation: schneller = faster, am schnellsten = fastest, langsamer = slower, kleinere Datei = smaller file.

or Sign Up to reply!