App Wrapper 3.9 Beta 4, now with Hardened Runtime & Notarization

Ladies and Gentlemen;
Beta 4 of App Wrapper now includes the newly required “Hardened Runtime” option (which requires macOS 10.13.6 or newer) and Notarization (which also requires macOS 10.13.6 and Xcode 10).

How to use:
Run App Wrapper on 10.13.6 (or newer) with Xcode 10 installed, and there’s a new option under the Code signature selector “Hardened runtime”, make sure this is checked (although please test your application thoroughly after enabling this option as it applies new restrictions to the app).

Once your application is wrapped, there is a new “Notarize” button in the wrapping window, click this button and your packages will be imported into the Notarizer window. From here you select an Apple Developer account (you may need to add your information first) and then click on “Submit”.

App Wrapper will then upload the packages and check for analysis results automatically. It will display some errors in the window and also confirmation of completion. If you click the action icon in the list, you can view the log, which will reveal more detailed information.

It will automatically Notarize multiple packages (if you ship a DMG and installer package per say). While the uploads are synchronous (Apple don’t seem to like multiple uploads at the same time), other functions are asynchronous. In fact, once it’s completed uploading, you even let the machine go to sleep and come back and check the status later.

It also supports manually adding of packages; so if you code sign yourself, but would like to use App Wrapper for Notarization, simply drag the packages in and set the version number & bundle identifier.

This version of App Wrapper has been hardened and notarized by itself.

Please let me know how you get on and what issues you encounter, if you encounter any.

Thank you for adding this to AppWrapper. Unfortunately this does not work for me.

I am signing my app with “Packaging=None”. After the wrapping process, I usually use the macOS DiskUtility to create an unsigned but compressed dmg to deliver my app. This worked fine and I did not see any advantage to sign the dmg too.

Back to AppWarapper: After successfully wrapping my app, the click on “Notarize” brings this window:

How can I now notarize my app now?

PS: A small bug: If you add an account that is already in the list, a keychain error occurs.

Sorry I didn’t expalin how to manually add a package; drag your DMG or PKG into the Notarizer window.

I haven’t tried it with an unsigned DMG, so let me know how that goes :slight_smile:

You are aware it is mandatory to sign the .dmg too for macOS 10.13 and higher?

I’ve been thinking about this; and probably what I’ll do is adapt the manual submission function to include codesigning at that stage, it will save an extra step, and simplifies the process for people who use other packing tools than those included in App Wrapper.

No luck when notarizing an unsigned .dmg or the app itself.

OK, but until now it worked for me without signing. Even on High Sierra and the current Mojave. I never had customer complaints about that. Do you know if there were any restrictions with an unsigned .dmg?

That would be really great! Otherwise I have to use .dmg canvas. I Think there are too many steps to create and sign the .dmg by hand.

Notarization currently only supports DMG or PKG, so I am not surprised a .app doesnt work.

In App Wrapper, under the tools menu, there is a DMG signer option already; but what I propose will save you that step in the future :slight_smile:

Great, my .dmg is now notarized. It worked with the included .dmg signer from AppWrapper and took about 4 minutes to finish. – No errors. :slight_smile:

Excellent news :slight_smile:

For uploads, need to prove an app specific password. Does that mean one needs to use Apple’s methodology for initial upload and set up before using this function in AppWrapper?

In the tests that I’ve done; I’ve not set any specific passeords per application. And only used my code to upload.

This is the log error I get when I try. This is after signing and hardening the app, then creating/signing the dmg with DMG Canvas. This is on 10.14.1 with Xcode 10.1. Command line utilities are installed (at least Homebrew is happy), so I don’t know what I’m missing.

11/12/18 5:12:02 PM StatusChanged: Ready to submit to Apple.
11/12/18 5:12:07 PM StatusChanged: Queued for upload.
11/12/18 5:12:07 PM StatusChanged: Uploading 11.1 MB to Apple…
11/12/18 5:12:07 PM xcrun: error: unable to find utility “altool”, not a developer tool or in PATH

11/12/18 5:12:07 PM Unable to convert the upload response into a dictionary
11/12/18 5:12:07 PM StatusChanged: Unable to process the result, please see the log

Never mind— sudo xcode-select --switch /Applications/ fixed it :slight_smile:

Interesting; thanks for the information. Had you actually opened Xcode 10.1?

I had to also do that when I did my first Stamping about 2 weeks ago. [quote=414017:@Sam Rowlands]Interesting; thanks for the information. Had you actually opened Xcode 10.1?[/quote]

I had to also do that when I did my first Stamping about 2 weeks ago.

So his case is definitely not one off case.

Yes, I had opened Xcode some time before; it always does the “installing additional components” thing when I first do so. There is a chance I’m thinking of 10.0, and not 10.1.

I did have to go to the Apple dev site, to create an application-specific password, for this to work, unlike (if I understand correctly) Sam’s case. Also, at this moment I can only notarize .pkg files, as opposed to my customary .dmg. When I try with .dmg I get a “no mountable filesystems” error at the end of the process. I am using DMG Canvas, both separately and with AppWrapper integration; the template is set to default HFS+ case-insensitive. I can send the log if that would help.

Intersting; I’ll look into it ASAP.

hmmm… I wonder what causes this; both App Wrapper and the other application are NOT on the App Store and I created a sample application specifically for testing this process and specifically didn’t configure anything with Apple before hand. To basically see if I needed to complete this step or not; especially as the limited documentation didn’t make it clear if setting an app password was required or not.

You did sign it with a code signature that’s registered to your Apple Developer account?

Yes, please. I want to keep this process as simple as possible, Maybe you can also give me a link to download your DMG so I can compare that with the App Wrapper DMG (which was accepted by Apple). Did you create the DMG on 10.14?

The DMG was created on 10.14.1. My Apple Certificates are in order, per the Codesign Diagnostics in AppWrapper. What I believe to be the relevant part of the log is here:

11/14/18 11:02:58 AM <?xml version="1.0" encoding="UTF-8"?>

notarization-info Date 2018-11-14T17:01:19Z RequestUUID dfeecfa4-72eb-424a-8fdd-cb3c200a1239 Status in progress Status Code 2 Status Message Package Invalid os-version 10.14.1 success-message No errors getting notarization info. tool-path /Applications/ tool-version 1.1.1138

11/14/18 11:02:58 AM StatusChanged: Analysis still in progress
11/14/18 11:03:56 AM StatusChanged: Checking with Apple for analysis results…
11/14/18 11:03:57 AM <?xml version="1.0" encoding="UTF-8"?>

notarization-info Date 2018-11-14T17:01:19Z LogFileURL RequestUUID dfeecfa4-72eb-424a-8fdd-cb3c200a1239 Status invalid Status Code 2 Status Message Package Invalid os-version 10.14.1 success-message No errors getting notarization info. tool-path /Applications/ tool-version 1.1.1138

11/14/18 11:03:57 AM Has a remote log, requesting that now
11/14/18 11:03:57 AM StatusChanged: Package Invalid retrieving the remote log…
11/14/18 11:03:58 AM Remote Log: {“logFormatVersion”: 1, “jobId”: “dfeecfa4-72eb-424a-8fdd-cb3c200a1239”, “status”: “Invalid”, “statusSummary”: “Archive contains critical validation errors”, “statusCode”: 4000, “archiveFilename”: “Demo_FTProofsheet_Client.dmg”, “uploadDate”: “2018-11-14T17:01:19Z”, “sha256”: “39c38c87a8ed922f9359a404684c36535f3e14f5952a497dea06d05f00a32f2c”, “ticketContents”: null, “issues”: [{“severity”: “error”, “code”: null, “path”: “Demo_FTProofsheet_Client.dmg”, “message”: “b’hdiutil: attach failed - no mountable file systems\
'”, “docUrl”: null, “architecture”: null}]}
11/14/18 11:03:58 AM b’hdiutil: attach failed - no mountable file systems
’ in Demo_FTProofsheet_Client.dmg

I stepped away from this problem for awhile. As it happens, I wiped and restored my system in the meantime. That’s a long story that had to do with Time Machine weirdness. Using the AppWrapper Beta, I notarized a .dmg installer (having, again, only succeeded with .pkg before) quite nicely.

While I am not sure, it is possible that my problem before was that DMG Canvas was saving its .dmg file to my desktop, which syncs with iCloud Drive. I learned a long time ago not to code sign an app bundle living in iCloud (or DropBox), because of the weird things happening underneath. It had never bothered the code signing within DMG Canvas itself, but may have here, and this time I made sure of the file’s location. I believe this hypothesis is more likely than somehow magically fixing something in my system wipe.

Once again, because of the restore, I had to do “sudo xcode-select --switch (path to Xcode)” before it would work. And this time, I know that Xcode had been open and run previously.

Hey Sam, the 3.9 beta has now expired. Just wondering if there was an update yet that I missed?