[quote=432478:@Christoph De Vocht]Important side note:
What if you want to distribute your app with a .dmg and .zip (for example with a updater tool line Kagi)?
In that case you need to notarize the dmg and zip separately.
Basically, this would mean the same app has 2 notarized approved release IDs. That may trigger an issue when macOS verifies the app on their server.[/quote]
It wont. Notarization does not replace previous results.
I performed some basic tests earlier this week using terminal and here are my findings (so far):
64 Bit apps built with Xojo 2017r3 seem okay.
The apps contained MBS plugins v18.1, Einhuger plugins from 2018 and various other plugins.
I could notarize code signed apps that were submitted in a zip and code signed apps in a code signed dmg
Stapling
a) Zip Files
You don’t staple zip files. You actually staple the applications that you put into the zip files. Stapling an application seemed to add a CodeResources file into the package contents folder. I think you would then add the stapled apps to a new zip file for deployment (if that is even possible these days).
b) dmg Files
Stapling didn’t seem to add the CodeResource files into the application package. My guess is that it is modifying some kind of header in the DMG itself.
What I haven’t been able to determine is if it is safe to put notarized apps into a disk image that is code signed but not notarized. One reason to do this would be if your disk image also contained a lot of content. Sending GBs of data to Apple for the sake of 100MB of executable code seems very inefficient. My gut feeling is this won’t be allowed and GateKeeper will complain at the point of mounting a non-notarized disk image. This possibly means that apps will have to download their content on first run.
For now, I create .dmg files that will be zipped before uploading to the web site.
This probably will result in the zip process being omitted and only the unzipped .dmg file being offered on the web site?
While it looks like I was wrong about needing to switch to dmg, I have to ask, why are you compressing the dmg? Theyre already compressed, there is nothing to be gained by doing that.
That’s good to know; I guess I’ll have to purge 10.14 from it and re-install.
[quote=432478:@Christoph De Vocht]What if you want to distribute your app with a .dmg and .zip (for example with a updater tool line Kagi)?
In that case you need to notarize the dmg and zip separately.[/quote]
Firstly, I would recommend considering the Apple installer as part of the update process. It adheres to Apple’s current security underpants and has the added advantage that it WILL replace your application where-ever it is on the hard disk.
Secondly; from my understanding of the documentation, stapling is not actually required. When a Notarized application is launched, the macOS phones home to check the security of the application. What stapling does is attaches a sorta security badge (on top of all the other security protocols applied), which is used in that moment. The macOS will still phone home, it just doesn’t prevent you from launching the application until it’s gotten a response.
Now; the biggest problem with Notarization, is not that Apple doesn’t trust us 3rd Party developers, nor that they look at the byte code of your application to determine what it’s doing, it’s the “Hardened Runtime”. This applies a far stricter set of security rules to the application, that has already caused some developers to have to remove features from their apps. So PLEASE PLEASE make sure you thoroughly test your application once it’s been code signed.
p.s. You probably want to make sure that you don’t have any function names that Apple might take offense to, I know of one developer who got into trouble because Apple didn’t like his function names and thought he was doing something suspicious.
[quote=432477:@Christoph De Vocht]With Appwrapper you need to do two steps:
@Sam - you need to add .zip support for the DMG signer module in Appwrapper. ;-)[/quote]
I made a mistake with the DMG Signer of AppWrapper. I meant the Notarize interface instead. Sorry about the confusion.
I’m reading through this, and wondering, I’m within a week or two releasing an update to my app. I sandbox for the MAS and add I add the Gatekeeper stuff for non-MAS sales. I use Sam’s AppWrapper and works well for me. So, today, what do I need to do to notarize my app if I choose to? That bit is confusing me.
Thanks, Richard
see my blog article:
https://www.mbsplugins.de/archive/2018-11-02/Notarize_apps_for_MacOS
I just run the command line from point 6 and than later the step 8 for my app.
You need to use your own bundle identifier and login of course.
[quote=433391:@Richard Gorbutt]I’m reading through this, and wondering, I’m within a week or two releasing an update to my app. I sandbox for the MAS and add I add the Gatekeeper stuff for non-MAS sales. I use Sam’s AppWrapper and works well for me. So, today, what do I need to do to notarize my app if I choose to? That bit is confusing me.
[/quote]
Not much more to do, assuming you’re on the latest version of AppWrapper. You’re already successfully signing the app with your Developer ID using AppWrapper. To notarize, just wrap as normal and hit the Notarize button that appears when wrapping is done. AppWrapper will send your app off and check on the result, which is also emailed to you. It only takes 2 or 3 minutes.
There’s no reason to wait until launch day to try it either, it’s an automated process at Apple’s end, not a review, so you can resubmit builds to be notarized as you see fit.
Thanks Gavin,
I have an active support plan and on v3.8.8, it shows no updates available but I don’t see the notarize button. I’ll reach out to Sam when I have time. Appreciate the response.
Thanks, Richard
[quote=433413:@Richard Gorbutt]Thanks Gavin,
I have an active support plan and on v3.8.8, it shows no updates available but I don’t see the notarize button. I’ll reach out to Sam when I have time. Appreciate the response.[/quote]
There was a beta of AppWrapper 3.9 but the download link seems to be no longer active. I’m sure Sam can help you out (although I know that he’s nearing the end of a project with only a few days to go).
https://forum.xojo.com/50953-app-wrapper-3-9-beta-4-now-with-hardened-runtime-notarization/0
Nice question, thanks for the reply. I’ve checked the files, but when I compare the .dmg and its zipped counterpart, most of my Xojo compiled projects wrapped into a .dmg file become much smaller when zipped, probably 'cause they contain a large number of graphical files.
@Detlef Kahner:
a) you should make your graphics as small as possible anyways. https://imageoptim.com/mac or similar.
b) dmg also has compression.
You may have the flag set that strips out the 32-bit libraries during wrapping.
[quote=433442:@Beatrix Willius]@Detlef Kahner:
a) you should make your graphics as small as possible anyways. https://imageoptim.com/mac or similar.
b) dmg also has compression.[/quote]
I couldn’t see a way in Disk Utility to get an HFS+ dmg along with compression. Not under High Sierra, anyway.
@Tim Streater: in DropDMG there are several options for compression. Not sure how these translate into Disk Utility.
German translation: schneller = faster, am schnellsten = fastest, langsamer = slower, kleinere Datei = smaller file.
Saw your hint yet. Thanks for the notification. 
I read in a blog now the following text:
I as a developer of my own Softwares for my use and some clients that I install on their machines personally I am really worried, so I wanted to know if anyone knew if this was spoken at WWDC and what do they know about it ?
As far as I understand it Notarization only applies to apps downloaded from the internet outside the store
You should be safe if you’re writing your own software
Depending one how you distribute it to clients they may have issues
https://eclecticlight.co/2019/04/12/how-does-notarization-affect-your-own-apps-and-scripts/
[quote=440670:@Paulo Vargas]I read in a blog now the following text:
I as a developer of my own Softwares for my use and some clients that I install on their machines personally I am really worried, so I wanted to know if anyone knew if this was spoken at WWDC and what do they know about it ?[/quote]
To be frank, the $100 for 5 years for a Developer ID certificate is nothing. Its a small cost to avoid the trouble on clients machine. This assumes you build on your machine and install on theirs though. Developing on theirs is a different story.