I'm doing my first tests at notarization, thanks to many others on the forums who have provided help.
My first test is to notarize an app file, for distribution as .app.zip
The procedure I'm using:
- code-sign the app (with --options runtime)
- zip it
- upload the zip file using xcrun altool for notarization
- (wait for notarization to finish)
- staple : Note - I'm stapling the .app file, not the .zip file - this is different than DMG distribution where you staple the DMG
- zip the complete stapled .app file
- upload the .app.zip file to a webserver
- download on a different mac and try to open
What's weird is that it works - but only sort of? I'm testing on Catalina dev beta 5. The zip file downloads and I can launch the app just fine (suggesting the code-signing with hardened runtime works) but I'm not seeing any evidence of notarization (I'm not seeing the "apple has checked your software for malware" type messages).
For example, I'm NOT seeing anything like this:
Instead what I see looks like the old behavior
"MyApp.app" is an app downloaded from the internet. Are you sure you want to open it. Safari downloaded this file ... from mycompany.com. " with the yellow Caution icon.
* if we are using .app.zip distribution, do we get the nicer "checked for malicious software" dialog? Or is that only seen with DMG?