.dmg notarising and 'future' macOS

  1. ‹ Older
  2. 2 weeks ago
  3. Greg O

    Jun 9 Xojo Inc
    Edited 2 weeks ago

    @Christoph Dnbsp;Vocht Isn't 2019R1.1 using SDK 10.9? If I am not mistaken, you definitely need to use 2019R1.1 to make notarising work.

    No. We updated to the 10.14 SDK in 2018r4.

  4. Greg O

    Jun 9 Xojo Inc
    Edited 2 weeks ago

    @JonathanAshwell One is that the app isn't hardened. Is there a straightforward way to do this via the .plist?

    No. It’s done as a code signing step. You’ll need to add two options to your codesign call.

    ––timestamp ––options=runtime

    ...and fwiw, you need to do this on 10.13.6 or above.

  5. Norman P

    Jun 9 Pre-Release Testers, Xojo Pro www.great-white-software.com/b...
    Edited 2 weeks ago

    @Christoph Dnbsp;Vocht Isn't 2019R1.1 using SDK 10.9?

    No
    run

    otool -l 

    against a binary and you should find a load command like

    Load command 10
          cmd LC_VERSION_MIN_MACOSX
      cmdsize 16
      version 10.10
          sdk 10.14

    what this command tells you is the SDK version linked against (10.14) and the lowest deployment version supported (10.10)

  6. Christoph D

    Jun 9 Pre-Release Testers, Xojo Pro

    @JonathanAshwell One is that the app isn't hardened. Is there a straightforward way to do this via the .plist?

    If you follow the above steps, the app will be hardened and timestamps are added.

  7. Sam R

    Jun 9 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan
    Edited 2 weeks ago

    @JonathanAshwell Another is the lack of secure timestamp. I've read that XCode will add that for you. But of course we're not using that.

    When code signing you should already be using this; I seem to recall that Apple recent 'forced' this option on without the need for the option to be specified. However it could be they reversed this decision at some point.

    A quick test is to try code signing with no internet connection; no matter what I try I get a code signing failure because it can't connect to Apple (for the secure time stamps). It also means that you can't fiddle with your system clock, otherwise that causes failures and even fails to verify the code signature.

  8. Beatrix W

    Jun 9 Pre-Release Testers Europe (Germany)

    @Edwin Lau: which version of Valentina did you use for signing? If it's the current version did you inform the Valentina folks?

  9. Jonathan A

    Jun 10 Pre-Release Testers Maryland, USA

    @Beatrix W I think you mean me. I'm using Valentina 8.2.1. I posted an inquiry about the current version of Valentina on the Paradigmasoft forum.

  10. Jürg O

    Jun 11 Pre-Release Testers, Xojo Pro

    @Christoph Dnbsp;Vocht I tried everything but the notarised .dmg files keeps popping up the 'unidentified developer'. :-(
    It seems I have to switch to .pkg (which does work when it is notarised).
    Anyone else tried this?

    Same issue here.

    @Christoph Dnbsp;Vocht Christian Schmitz: Are you sure the beta 1 is not broken in this regard?
    That may be the case. Although I did download .dmg files that do not show this popup. It's an odd issue for sure.

    I wouldn't worry about it right now. Let's wait for (public) Beta 1/2/3.
    As a cross-check, I have just codesigned (not Notarized and stapled to the dmg). And surprise - you don't get the "unidentified developer", and (the not notarized app) runs just fine. So my guess is that they are still working on this "feature / restrictions-to-come".

  11. Travis H

    Jun 13 Pre-Release Testers, Xojo Pro

    @Christoph Dnbsp;Vocht Tested on a 'future' macOS version.

    When creating, codesigning and notarising a .dmg file always results in prompting 'Unidentified Developer' and you cannot open the .dmg (after you downloaded the .dmg file).

    I see the same thing. My older notarized signed DMGs work fine, but a newly-created notarized signed DMG refuses to mount on the beta. The newer DMGs mount if I delete the com.apple.quarantine attribute.

    I suggest reporting it via Apple's Feedback Assistant.

  12. last week

    Travis H

    Jun 18 Pre-Release Testers, Xojo Pro

    I'm still seeing the same behavior with beta 2.

  13. Christoph D

    Jun 18 Pre-Release Testers, Xojo Pro

    I did filed a feedback report which was closed with the reply : 'By design'. See other thread about this.

  14. 17 hours ago

    Christoph D

    17 hours ago Pre-Release Testers, Xojo Pro

    Still happens with macOS public beta 1 :/

    Not good.

  15. 16 hours ago

    Christoph D

    16 hours ago Pre-Release Testers, Xojo Pro

    Nice, just got my first mail from a customer who says my software cannot be launched because ... 'I am an unidentified developer'. Good job Apple, you are taking down my reputation as a developer. And I even payed you for this. :/

    I already have made a standard reply to answer those questions (that it is probably a beta issue). Nevertheless, this isn't very encouraging.

  16. 15 hours ago

    Beatrix W

    15 hours ago Pre-Release Testers Europe (Germany)

    How are other apps doing the notarization? DropDMG for instance starts fine on Catalina without the "unidentified developer" warning.

  17. 8 hours ago

    Sam R

    8 hours ago Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    Christophe; contact Apple Developer Support. Explain to them that you need to know what's changed because your Notarized application works fine on 10.4.5 but won't open on Catalina. Try to keep emotion out of your letter. Don't forget to tell them that your bug report was closed almost instantly with "By Design", don't forget to tell them that now they've released the public beta, you're getting e-mails from customers about this and you don't know what to do.

  18. 4 hours ago

    Christoph D

    4 hours ago Pre-Release Testers, Xojo Pro

    @Beatrix W How are other apps doing the notarization? DropDMG for instance starts fine on Catalina without the "unidentified developer" warning.

    Did you upload the dmg first? The message is not shown when you just create and notzarize the dmg file. You first need to download it.

    BTW I am using DMGCanvas.

  19. 3 hours ago

    Beatrix W

    3 hours ago Pre-Release Testers Europe (Germany)

    I downloaded the app from the internet. I used this app because I remember that the dev wrote about notarization.

  20. 2 hours ago

    Christoph D

    2 hours ago Pre-Release Testers, Xojo Pro

    @Beatrix W I downloaded the app from the internet. I used this app because I remember that the dev wrote about notarization.

    Did a quick test with DropDMG ... same issue.

    Did you create, codesigned and notarized the dmg running macOS 10.15 ?

  21. Beatrix W

    2 hours ago Pre-Release Testers Europe (Germany)

    Hu? That's odd. DropDMG isn't my product. For my own app I'm still wrestling with Catalina itself. There is now a version of Valentina that should work for hardening. As soon as this wonderful heatwave is a bit better and my brain is back to working I'm going to test notarization.

or Sign Up to reply!