10.14 Hardened Runtime and App Notarization

Apple today did sent a mail to every developer the next release will gave this requirement.
It is (sadly) comming sooner.

[quote=410639:@Christoph De Vocht]Apple today did sent a mail to every developer the next release will gave this requirement.
It is (sadly) comming sooner.[/quote]
The email just says “upcoming” which is very non-specific.

Sitting in the corner working away, with curse words leaking from one’s mouth… “Will I ever get this gorram app finished?”
He picks up the source code and throws it on the floor, standing up reaches for his smokes…

You realise @Sam Rowlands that if you crack this one, every Xojo licence will need your helper app to run. I already have AppWrapper and rely on it. AppWrapAndNotarise will be as essential as MBS.

Regards,
Tony Barry

I just managed to staple our Registrator App, it was not all that bad to get it done, just few console commands.

You get confirmation from the iTunes Store when it works I guess:

Dear Björn,

Your Mac software (bundle identifier com.einhugur.registrator) has been notarized. You can now export this software and distribute it directly to users.

Absolutely lovely. How long does the xcrun stuff take to run?

We don’t ask Sam to handle App Store Submission.
This looks similar to me, bar the distributing via the App Store.

Took less than a minute once I had realised how. I guess it mostly depends on the size of the application and your upload link.

Here is how if someone needs to know how:

1. The Application and DMG was already signed by using Sam’s excellent App wrapper.

2. Make App-Specific Password (yes there is such a thing I had never heard of it before, you make them at https://appleid.apple.com. Give it any name and it will generate a key for you.

3. Sign your App using terminal (you need your bundle identifier here, your Apple ID and your App password that you made in step 2)
xcrun altool -t osx -f /Users/bjorneiriksson/Desktop/Registrator_8_0_3_\(64bit\).dmg --primary-bundle-id com.einhugur.registrator --output-format xml --notarize-app --username --password

4. Stapple the Application using terminal:
xcrun stapler staple /Users/bjorneiriksson/Desktop/Registrator_8_0_3_\(64bit\).dmg

That gives you output like this if everything worked:

Processing: /Users/bjorneiriksson/Desktop/Registrator_8_0_3_(64bit).dmg
Processing: /Users/bjorneiriksson/Desktop/Registrator_8_0_3_(64bit).dmg
The staple and validate action worked!

Now I did have problem first where the altool was not connected correctly to my Dev tools.

If you have that problem then you do (you need to sudo this one):
sudo xcrun xcode-select -s /Applications/Xcode.app

You mean an “App-Specific Password” right?

Yes

Does all this apply to apps NOT “downloaded from the internet”?

If it does, would that mean it will cost some money even to write apps for informal in-house use!!! Is that the case? Heck none of my apps are signed, never mind notarized… there is no need.

• Karen

[quote=410652:@Karen Atkocius]Does all this apply to apps NOT “downloaded from the internet”?

If it does, would that mean it will cost some money even to write apps for informal in-house use!!! Is that the case? Heck none of my apps are signed, never mind notarized… there is no need.

• Karen[/quote]
  … sounds like: „personal“ computer is dead - long live Apple‘s computer!

„Note that in an upcoming release of macOS, Gatekeeper will require Developer ID signed software to be notarized by Apple“

[quote=410645:@Björn Eiríksson]I just managed to staple our Registrator App, it was not all that bad to get it done, just few console commands.

You get confirmation from the iTunes Store when it works I guess:

Dear Björn,

Your Mac software (bundle identifier com.einhugur.registrator) has been notarized. You can now export this software and distribute it directly to users.[/quote]

Does the app need to be sandboxed like for the AppStore?

[quote=410649:@Björn Eiríksson]Here is how if someone needs to know how:

1. The Application and DMG was already signed by using Sam’s excellent App wrapper.
[/quote]

I don’t think AppWrapper uses –options runtime which is needed (I guess). Or am I wrong?

The method that Bjorn wrote is not working.
The reason is that AppWrapper does not use the option --options runtime and this will give the iTunes Log error:

Status: Invalid
Error #2 - Package Invalid
“The executable was not signed with the CS_RUNTIME option.”

Has anybody tried submitting their signed apps for notarization (maybe in a zip file) and after they have been stapled, add them to a dmg which is signed but not notarised?
The reason I’m asking is that our final dmg could contain 1GB of data files and I would prefer not to upload a massive dmg just for Apple to verify a small part of it.

I tried .pkg and .zip - only .dmg seems to be accepted in my case.

I will wait until Sam added the ’ --option runtime’ to AppWrapper. Because it is needed (see error above).

[quote=410652:@Karen Atkocius]Does all this apply to apps NOT “downloaded from the internet”?

If it does, would that mean it will cost some money even to write apps for informal in-house use!!! Is that the case? Heck none of my apps are signed, never mind notarized… there is no need.

• Karen[/quote]

In addition to in-house, what about us poor open-source developers? I’ve swallowed hard and kept funding my Xojo desktop license so I don’t have to try to rewrite my application in another language (13 years of inertia to overcome). I’ve never gotten into the Apple Developer program as I saw that as an unnecessary expense for what I was doing. Since I don’t get any donations, everything is on me.

If I’m reading this right, at some point in the not-too-distant future the walls to the walled garden will get even higher and a notarization will be mandatory for everything. Am I correct?

Open source/free software… dont get me started. I HATE it, it has no added value whatsoever. It destroys the software market. No-one should give software for free and there is absolutely no reason not to ask some money for your hard work.