FYI: Notarizing Your App Before Distribution (macOS 10.14.5 and beyond)

[quote=432290:@Paulo Vargas]Hello,

I know that Apple Notarization process will need to be done in all the applications running on the Mac from now, what I do not understand is what I need to do for this validation, I’ve never sent applications to MAS, all mine applications I personally install on my clients, my question is:

what I took to do besides having a developer account at Apple, I will have to put something in the Bundle Identifier or on Package Info of my Apps or something like this, how will the Apps I already have and are in XOJO be validated ?

I’m very confused by all this, could someone give me some help, Please.[/quote]

Basically what you will need to do is to codesign the binaries, package the installer (dmg, pkg or zip) and send it to the notarization service. After you are done, wait for the email to come to say that you can distribute the app and then issue the command to staple the notarization to the app.

This is my script template which I save as a .sh file so in the command line I just run it.

[quote]#!/bin/bash

cd /‘Developed Apps’/‘My App’
xattr -rc ‘My App.app’

cd /‘Developed Apps’/‘My App’/‘My App.app’/‘contents’/‘Frameworks’/‘XojoFramework.framework’/‘Versions’/‘A’
lipo -remove i386 XojoFramework -o XojoFramework

codesign -f -s ‘Developer ID Application: My Name’ XojoFramework

cd /‘Developed Apps’/‘My App’/‘My App.app’/‘contents’/‘Frameworks’
codesign -f -s ‘Developer ID Application: My Name’ *.dylib
codesign -f -s ‘Developer ID Application: My Name’ *.framework

cd /‘Developed Apps’/‘My App’/‘My App.app’/‘contents’/‘MacOS’
codesign -f -s ‘Developer ID Application: My Name’ *.dylib

cd /‘Developed Apps’/‘My App’

codesign -s ‘Developer ID Application: My Name’ --options runtime ‘My App.app’

/usr/local/bin/dmgcanvas /‘Developed Apps’/‘My App’/‘myapp.dmgCanvas’ /‘Developed Apps’/‘My App’/‘myapp.dmg’ -v ‘My App’

xcrun altool -t osx -f /‘Developed Apps’/‘My App’/‘myapp.dmg’ --primary-bundle-id ‘com.mycompany.myapp’ --notarize-app -u me@myemail.com -p myDeveloperToken[/quote]

Once you get the All Ok email from Apple then in command line issue this

Once that’s done, you can freely distribute your installer.

[quote=432292:@Edwin Lau]wait for the email to come to say that you can distribute the app and then issue the command to staple the notarization to the app.

[/quote]

Hello Edwin, first of all thank you to help me !
I did not get it right because I always make my Mac Apps and put it in my FTP in ZIP, after I just Unzip and put on Applications Folder on my client’s Macs, and never signed any App, just gave permission in the System Preferences/security and privacy for them to work, I have many doubts but to get 3 more important now because I am really lost.

What is this script that kindly sent me and what is it for ?
I’m need going to have to generate an installer or something like that ?
And this validation command I have to put exactly where in my code ?

[quote=432295:@Paulo Vargas]Hello Edwin, first of all thank you to help me !
I did not get it right because I always make my Mac Apps and put it in my FTP in ZIP, after I just Unzip and put on Applications Folder on my client’s Macs, and never signed any App, just gave permission in the System Preferences/security and privacy for them to work, I have many doubts but to get 3 more important now because I am really lost.

What is this script that kindly sent me and what is it for ?
I’m need going to have to generate an installer or something like that ?
And this validation command I have to put exactly where in my code ?[/quote]

For the most cases, you will not need to change anything in your source code or add anything in there. Notarization is done after you compile your app.

You can just copy and paste the script I posted into TextEdit or any text editor and save as as my.sh or something like that. To run it, go to the command line and type sh my.sh . Of course, change the “My App” to your folder and your app name and replace with your email and the token key.

The installer does not need to be DMG in my case. It can be a ZIP or PKG. Use what you have always used.

You probably have to remove the lines

/usr/local/bin/dmgcanvas /‘Developed Apps’/‘My App’/‘myapp.dmgCanvas’ /‘Developed Apps’/‘My App’/‘myapp.dmg’ -v ‘My App’
xcrun altool -t osx -f /‘Developed Apps’/‘My App’/‘myapp.dmg’ --primary-bundle-id ‘com.mycompany.myapp’ --notarize-app -u me@myemail.com -p myDeveloperToken

In my case, I use DMGCanvas to package my files but you do not need to do that. Just remove that line and do your usual ZIP.

After you zip, then run the XCRUN line in the command line. Replace the “Myapp.dmg” with “Yourapp.zip”. This line will upload your installer to Apple to check.

[quote=432295:@Paulo Vargas]

What is this script that kindly sent me and what is it for ?
[/quote]

Let me explain the codes in the script. Basically I’ve made the template script which I use for codesigning and packaging my apps with notarization. This way I do not need to type each line at a time. Think of the script as your Windows’ .BAT file.

The xattr -rc line fixes the resource fork issue. It was needed in the past for MAS but not I am not sure if the current Xojo version fixes the issue but I just had that added for security.

lipo -remove -i386 would remove any 32 bit codes in the Xojo Framework to keep it pure 64 Bit. Probably not needed if the app is release outside of the MAS but it does shrink the file size by a little.

codesign -f -s this is code sign all the Framework, dylibs and executable within your .app bundle

codesign -s --options runtime this will codesign the app bundle itself and then apply the required hardening using the “runtime” switch

Hope that helps

You are helping me a lot !
I sincerely thank you for the help you are giving me, thank you very much for the kindness and time you have for me.

For full disk access an app has to be signed before I can use the full disk access - even when debugging. If notarizing is required won’t we need to notarize in debug mode, too, for using full disk access?

Good question Beatrix, come out in an even more complicated situation, I hope that Apple continues giving a button on preferences to release everything manually by the user, who in the last case is the owner of the MAC

OK. I read this thread carefully, but it seems notarization is not used yet. I had noticed that in App Wrapper, without knowing exactly what that was.

Let me ask the naive question, now. Should the notarization apply to the DMG, the app, or both ?

[quote=432446:@Michel Bujardet]OK. I read this thread carefully, but it seems notarization is not used yet. I had noticed that in App Wrapper, without knowing exactly what that was.

Let me ask the naive question, now. Should the notarization apply to the DMG, the app, or both ?[/quote]
The dmg

Notarizing should not be required for debugging, because it happens to the DMG you distribute. While it does apply to an app, Apple notarizes the DMG and its contents. I know they mount the DMG as part of their process.

Therefore, notarization only applies to things you downloaded. Apps written on your own machine need only be signed. This is similar to how gatekeeper works, where you only need to force-launch an unsigned app once.

On the other hand, those currently distributing as a zip will need to switch to DMG.

For those with some shell experience, my dmg-builder script does 100% of the work, including notarizing. It’s not a ready-to-use solution for other projects, but it might serve as inspiration for your own scripts. Beacon/Installers/Mac/Build.sh at master · thommcgrath/Beacon · GitHub

What about apps not signed and installed from USB thumb drives?

That is how i distribute apps internally that I build (I don’t sell or distribute apps)… Is that going be problem in the future? Will end users still be able to override gatekeeper and run specific apps anyway?

• karen

[quote=432453:@Karen Atkocius]What about apps not signed and installed from USB thumb drives?

That is how i distribute apps internally that I build (I don’t sell or distribute apps)… Is that going be problem in the future? Will end users still be able to override gatekeeper and run specific apps anyway?

• karen[/quote]
  I don’t have answers to these questions.

I wouldn’t bank on it; the test machine I use for Mojave doesn’t even have the option and will point blank refuse to run a non signed application. I’ll admit that it could very well be because this machine’s Mojave partition has had many Mojave betas installed and something may be corrupted.

However what I’d personally suggest is not to worry about it for the moment, if this really becomes a reality, then you can consider your possibilities.

If you were selling it over the internet, I’d say you have no choice.

In the link provided by Sascha, it did said that zip is still supported as a means of distributing the app.

Notarizing your preexisting software lets Gatekeeper warn users when they try to run it. It also helps the notary service distinguish your legitimate software from variants that have been tampered with. You can notarize an existing disk image, installer package, or ZIP archive containing your app.

[quote=432453:@Karen Atkocius]What about apps not signed and installed from USB thumb drives?
[/quote]

As I understand it, any app that is copied to your Mac (whether from AirDrop, USB thumb drive, website download…) has the “quarantine” flag applied and when you launch it in the Finder, the flag will trigger Gatekeeper which may be set to refuse unsigned binaries.

So the answer to your question is: it doesn’t matter how you distribute your app, if it’s not signed, there might be a barrier to adoption. Anyone can easily bypass Gatekeeper by right-click/open anyway.

Not on my Mojave installation. It still runs the GateKeeper check and because the app wasn’t signed refused to launch it. Like I mentioned before; I don’t know if I’ve got borked settings or if this is the new standard.

Which contradicts with the security they introduced in 10.12, whereby apps shipped via Zip were treated as second class citizens (Enabling App Translocation). If that still occurs Notarized apps; Apple are creating a minefield of issues for the future. Great way to discourage developers.

@Sam Rowlands: you are doing something wrong . My favourite application besides Xojo is unsigned and runs fine on Mojave.

However, I still get occasional reports about my app being in Translocation mode and the app asking every time if it should be opened.

Sam, I have a question related to App Wrapper : it offers to notarize the app itself, while DMG Signer does not.

Confused…

[quote=432475:@Michel Bujardet]Sam, I have a question related to App Wrapper : it offers to notarize the app itself, while DMG Signer does not.

Confused…[/quote]

With Appwrapper you need to do two steps:

• Codesign your app with the Notarize option enabled.
• Create your .dmg file (with above codesigned app) and drop it into the DMG signer of Appwrapper. This will upload it to the Apple server to notarize it. This sometimes can take a long time, so be patient.

@Sam - you need to add .zip support for the DMG signer module in Appwrapper.

Important side note:

What if you want to distribute your app with a .dmg and .zip (for example with a updater tool line Kagi)?
In that case you need to notarize the dmg and zip separately.
Basically, this would mean the same app has 2 notarized approved release IDs. That may trigger an issue when macOS verifies the app on their server.