CodeSign/Notarize Service app

  1. last week

    James M

    Aug 12 Pre-Release Testers, Xojo Pro

    Hi...

    I am trying to figure out how to codesign and notarize my Service app... Has anyone managed to do this?

    I am able to notarize desktop apps both with App Wrapper and via the terminal.... but Service apps are not bundled the same way.

    Thanks...

  2. Jürg O

    Aug 12 Pre-Release Testers, Xojo Pro

    @James Meyer I am trying to figure out how to codesign and notarize my Service app...

    I guess you got the "notarization error" that the service/console application is not codesigned?

    @James Meyer Has anyone managed to do this?

    We codesign our macOS Service/Console Applications via Script/Terminal like this (pseudo-code - I hope you get the idea):

    #CodeSign dylib's
    codesign --timestamp -f -s "${Codesign_Identity}" "/path/to/serviceapp/serviceapp Libs/"*.dylib
    #CodeSign ConsoleApp
    codesign --timestamp -f --options runtime --entitlements "/path/to/entitlements.plist" --deep -s "${Codesign_Identity}" -i com.company.serviceappbundleidentifier "/path/to/serviceapp/serviceappexecutable"

    Since the console/service app has no "Info.plist" (such as a Desktop.app), you need to specify the "Bundle Identifier" yourself via "-i".

    Note: In our case, the console app is bundled inside a desktop.app
    As a next step, the Desktop.app is codesigned/notarized "as usual".

  3. James M

    Aug 12 Pre-Release Testers, Xojo Pro

    Thanks.... this helps... I was not including the "-i" parameter for the service codesign... but it looks like I still have some issues to work out with my dmg.

  4. James M

    Aug 12 Pre-Release Testers, Xojo Pro

    I still am having problems..... I think I have properly code signed my service app along with all the libs…..

    If I enter:
    codesign -dv --verbose=4 <path/to/my/service>
    I get:

    Executable=/Users/jimmeyer/Desktop/SMS/SMS
    Identifier=com.varsitysystems.sms
    Format=bundle with Mach-O thin (x86_64)
    CodeDirectory v=20500 size=134000 flags=0x10000(runtime) hashes=4180+3 location=embedded
    Hash type=sha256 size=32
    CandidateCDHash sha1=<removed>
    CandidateCDHash sha256=<removed>
    Hash choices=sha1,sha256
    Page size=4096
    CDHash=<removed>
    Signature size=9071
    Authority=Developer ID Application: Varsity Systems, LLC (<removed>)
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Timestamp=Aug 12, 2019 at 12:49:09 PM
    Info.plist=not bound
    TeamIdentifier=<removed>
    Runtime Version=10.14.0
    Sealed Resources=none
    Internal requirements count=1 size=196

    … and I get essentially the same if I verify all the libs.

    That executable launches with no problems.

    So now I create a dmg from the folder containing the executable, resources and libs using Disk Utility….

    If I mount that dmg the executable works fine and the codesign still verifies just like the original.

    Now I sign the dmg using:

    codesign -o runtime -s "Developer ID Application: Varsity Systems, LLC (<removed>)” <path/to/dmg>

    If I mount that dmg the executable runs fine…. and its codesign also verifies just like above.

    If I try to notarize the dmg using:

    xcrun altool --notarize-app --primary-bundle-id "com.varsitysystems.sms" --username “<removed>" --password “<removed>" —file <path/to/dmg/file>

    I get an error which includes in part:
    "Archive contains critical validation errors",
    "path": “SMS.dmg/SMS",
    "message": "The signature of the binary is invalid.",

    I have also tried to Notarize the dmg without codesgining it first…. but get the same error.

    Any idea what I am doing wrong?

    Thanks.

  5. 7 days ago

    Jürg O

    Aug 12 Pre-Release Testers, Xojo Pro

    @James M "path": “SMS.dmg/SMS",
    "message": "The signature of the binary is invalid."

    What do you have in the .dmg? A folder "SMS", which just contains the Xojo-built service/console application?
    To me it seems that the Notarization/Validation is looking for an ".app bundle", which this obviously isn't (if my assumption is correct)...

    Then this is really a good question: How to notarize "just a console/service app" (which is not bundled inside an .app or .pkg)?

    One thing I'd try is to codesign the whole folder "SMS" as the last codesign step. So that it gets a signature of what's all inside the folder. Then create the .dmg, sign that one too, and send it to notary service.

    Hmm... what else could be similar? Maybe @ChristianSchmitz will tell us how he's notarizing his Plugin-Downloads (which aren't an ".app")? I think to remember he's mentioned doing that now.

    So apart from "bundle it within an .app", another option would be to provide a .pkg. A .pkg installer can include the ConsoleApp and install it to some predefined location. You'd then still need to sign the console app, package it to the .pkg, and finally codesign/notarize the .pkg you're going to distribute.

    I'm still curious to know if there is a way to codesign/notarize "just a standalone console/service app" (which the user downloads as a "Folder inside a .dmg", and can move it where-ever they want it to be). I wouldn't be surprised if that's not possible. But I'd be more happy to be proven wrong ;)

  6. James M

    Aug 12 Pre-Release Testers, Xojo Pro

    @Jürg O What do you have in the .dmg? A folder "SMS", which just contains the Xojo-built service/console application?

    Yes... The SMS folder includes the executable along with a "Resources" and "<exceutable> Libs" sub-folder.

    I will explore adding another folder on top of it all and see if it makes a difference.... But also, see my next post.

  7. James M

    Aug 12 Pre-Release Testers, Xojo Pro

    I got my Service app to Notarize using a zip...(still unable to get dmg to work). This is what I did in a Terminal window.... where <path> is the path to the Build folder that contains the executable along with the "Resources" and "<executable> Libs" sub-folders.

    1: xattr -cr <path>

    This removes any Finder Info or Resource forks from all the files in the <path>.

    2: codesign --timestamp -f -s "Developer ID Application: <your name> (<your id>)" "<path>/<executable name> Libs/"*.dylib

    Codesigns the .dylibs in Lib sub-folder. Also look for other files in that sub-folder which do not have a dylib extension... and run this command on them specifically.

    3: codesign --timestamp -f -o runtime --deep -s "Developer ID Application: <your name> (<your id>)" -i <Your app Bundle Indentifier> "<path>/"<executable name>

    Codesigns the executable itself. You should now have a new sub-folder called "_CodeSignature"... leave it in the folder.

    4: Zip the build folder.

    5: xcrun altool --notarize-app --primary-bundle-id "<Bundle Indentifier >" --username "<your user name/email>" --password "<your password>" --file <path to the zip file>

    After the zip uploads to Apple... which can take a minute or so... you should get back something like:
    2019-08-12 16:35:54.462 altool[14881:2220844] No errors uploading '<path to zip>'.
    RequestUUID = 76170fe4-fd84-40c6-8f0d-f45c6defe921

    Once Apple has completed the Notarization you will get an email indicating if it passed or not... If not, you can get an error log by entering:

    xcrun altool --notarization-info <RequestUUID from above> -u "<your user name/email>" --password "<your password>"

    This will give you a big long URL which you can paste into your browser and obtain the log.

or Sign Up to reply!