Encrypted Zip notarize with App Wrapper ?

I figured out how to notarize pkg installers and it now works smoothly, but now since I place these installers in an encrypted zip, I wondered if that could be notarized at all.

From what I understand, Apple needs to verify the content of the zip archive, so encryption probably defeats notarization, but one never knows…

Do you get the usual warning when you try to open your zip file after downloading? You are correct that the encryption can’t work with notarization. Or Apple would have a backdoor with the encryption. Have you tried to notarize your encrypted zip files just to see what happens?

In my experience .zip files that includes an app are working fine without it showing any warning in macOS 10.15
So I don’t think you need to notarize .zip files.

[quote=456189:@Christoph De Vocht]In my experience .zip files that includes an app are working fine without it showing any warning in macOS 10.15
So I don’t think you need to notarize .zip files.[/quote]

Actually, I have two cases :

  • encrypted zip file for the auto update system,
  • non encrypted zip files for buy and download, containing the notarized dmg

At any rate, I have not yet figured out what was needed to notarize zip files with app wrapper. This dialog below makes little sense to me.

Version is pretty clear, but the two other fields I simply don’t understand.

Code signature Developer ID perhaps is the Apple ID ?

As for Identifier, I am lost.

And of course, I don’t know which Receipt this is about.

The identifier is the bundle id of the app.

Ah, OK. Thank you Beatrix.

But I was wondering, do I need to notarize a zip archive containing a DMG which itself has been notarized. In effect, I am not packing the app itself, but the DMG.

The question is where you will get the scaremongering dialog. I’d guess the zip. You will have to test this yourself.

It can be your bundle id but it doesn’t have to be:

From:
Customizing the Notarization Workflow

If you select “DMG Canvas & Zip” in the packing options of App Wrapper, then on wrapping completion, click on “Notarize”, they will be Notarized for you, and so will the application, then you can create an encrypted zip from the wrapped application.

Regarding the manual Notarize process dialog.

  • Identifier can be whatever you want, you could even use “fluffy.sparkly.unicornPoop”. I am slowly working on extracting this and the version from DMG & PKG files (without having to extract the entire archive).
  • The codesignature field is an oversight, because you can’t code sign a Zip file, and it’s in it’s display state. For unsigned DMG files, it shows the standard signing identity selector, for signed DMGs it show the signature.
  • Receipt is if you have one already, i.e. already started the process with another product and want to use App Wrapper to check with.

In the future I can add support to create encrypted zips if you’d like. I guess you’re using these as a way of confirming they came from you? If so I might suggest you look at using an Apple installer instead. There’s several reasons as to why I’d recommend it.

  1. Apple installers are code signed, so checking the signature will confirm it’s authenticity.
  2. It will overwrite older versions of your program where-ever they are.
  3. It works with the security on Catalina (famous last words as I bet the next beta will break it now).

AFAIK, there’s no need to Notarize an encrypted zip of a Notarized DMG file.

When you Notarize a Zip file, the actual Zip file isn’t Notarized, it’s simply used to deliver the app to Apple. Once App Wrapper gets a positive response, it then attaches the ticket directly to the application and creates a new zip file from there.
DMG and PKG can have the ticket stapled directly to themselves.

[quote=456283:@Sam Rowlands]In the future I can add support to create encrypted zips if you’d like. I guess you’re using these as a way of confirming they came from you? If so I might suggest you look at using an Apple installer instead. There’s several reasons as to why I’d recommend it.

Apple installers are code signed, so checking the signature will confirm it’s authenticity.
It will overwrite older versions of your program where-ever they are.
It works with the security on Catalina (famous last words as I bet the next beta will break it now).[/quote]

I use the encrypted zip actually to deliver the pkg installer coming from App Wrapper’s notarization. It is part of my app auto update system.

Thank you for your explanations and suggestions.

I was once told, if I have to explain anything to the customer, then I’ve failed as an app designer. So I obviously need to look at that dialog and think how to improve it’s usability.

I’m slowly getting the product ready to move over to version 4 with a radical new interface, but I may address this dialog a lot sooner.