@Sam Rowlands: how do I incorporate AppWrapper into my app builds? I have multiple helper apps, a main app, an installer and the dmg for 2 different versions. Additionally, there is the MAS app which is the most simple one with just the app without the rest.
Do I need to treat everyone of my apps with hardened runtime? I would assume so.
AppWrapper is async. That means my IDE communicator script wouldn’t work anyways because that’s synchronous.
AppWrapper moves everything. How do I move the app to the original location?
How do I get AppWrapper to close after it finishes?
The hardening works fine on a first test for the main app.
As log as your helper apps are in an executable folder (macOS, Helpers, Plugins) before the main application is passed to App Wrapper, it should handle them, although there are situations where some Helper apps need some special processing. In which case I’ve found code signing them separately and telling App Wrapper to ignore them seems to work (like launch helpers).
Is this a custom installer or using Apple’s installer tools to make it?
Many of the options are based upon which code signature you specific, so some things can be different for MAS and non-MAS distributions.
AFAIK, yes, but App Wrapper should take care of that for you.
This is a limitation of the current design and can only be solved by switching it over to commandline app with a GUI (which is a lot of work at this end).
App Wrapper does this so that it never overwrites the application you pass into it. Otherwise if anything goes wrong on the App Wrapper end, you’d have to re-build your application before you can try again.
Currently you can’t. Due to poor design from yours truly.
The installer is from the time where I couldn’t make the pkg file work fine. So the installer is a self-written one.
Okay, I’ll try that.
Also okay.
I’ll need to do this anyways.
Yeah, we all do that.
Currently, I don’t see how I can make this work with AppWrapper. My IDE communicator script does everything. Building manually is just too error prone.
@Sam,
First attempt to notarise with AppWrapper, but got an error :
“Your Apple ID account is attached to other iTunes providers. You will need to specify which provider you intend to submit content to by using the -itc_provider command. Please contact us if you have questions or need help. (1627)”
My email is attached to multiple team. How to add the -itc_provider flag ? And what should be the parameter ? The team ID ?
Worked for me (Thanks , Sam)
Now I need to work out if Hardening and Notarising is actually going to BREAK my app for any reason.
Past experience suggests it almost certainly will…
No, the parameter is most likely the <provider_shortname>. See this Thread on the Apple Developer Forums.
So it’s not the TeamID. One way to figure out what it is is explained by “Eskimo” in another Thread on the Apple Developer Forums.
If your company’s full name is: “My Company AG”, the “provider shortname” will most likely not contain spaces, e.g.: “MyCompanyAG”.
[quote=441313:@Sam Rowlands]This is the first time Ive seen this message, so at this point I dont know.
Ill be away tomorrow; but Ill take a look over the weekend[/quote] @Sam Rowlands : This will come into play when notarizing: Note the parameter --asc-provider
My main app needs AppleEvents and AddressBook access for the hardened runtime. The helper apps don’t need those permissions. Do the helper apps need to get their own set of permissions or do they “inherit” the permissions of the main app?
Hmmm… You’d need to check with the documentation for this. By default App Wrapper applies the ‘Inheritance’ entitlement to helper apps; however for some helper apps (like launch helpers) they can’t work this way and must have their own set of entitlements.
Okay; so I’ve read the documentation and the posts that @Jürg Otter has linked too and done some quick tests here. I will redesign the account system that App Wrapper uses for managing Application Loader accounts, to accommodate this information and hopefully prevent less work when Apple change the system again. I will continue to store the user name and password in the Keychain for the time being; even though it appears that App Wrapper on Catalina is not able to modify that information.
Which raises a question, I’d like to ask y’all. If Apps are locked out from editing Keychain records , would you like?
App Wrapper to continue storing this information in the Keychain, but it requires a trip to Keychain Access when the password needs to be changed.
App Wrapper to store this information in it’s own preferences. I can encrypt this information, to give it some protection, but you would be able to change the password directly within App Wrapper.
[quote=441646:@Sam Rowlands]Which raises a question, I’d like to ask y’all. If Apps are locked out from editing Keychain records , would you like?
[/quote]
Have you reported the issue to Apple?
We really need to figure out the Keychain issue before we start implementing security circumventions.
Some simple questions:
Did anyone report the issue to Apple?
Is the change permanent or a bug in this beta?
Does the issue affect all Xojo apps?
Unless Apple says the answer to number two is “Yes. This change is intended and permanent.” then what are we getting all huffed up for? Let’s slow down - we’re developers, we solve problems. Getting this worked up without any answers isn’t how we operate.
Edit: For what it’s worth, other development communities are not talking about this issue.
I had added a bug report (with the new Apple Feedback tool) about this issue.
About 30 minutes (!) later it was closed with the comment ‘By design’.
Say what? ‘By design’. So I get an 2 words answer saying it it expected behaviour by design? WTF?
Does this mean it is not possible to notarise a dmg with a standard developer account? Although I received a mail I have notarized dmg successfully You can now distribute your Mac software mail.
Still, ‘by design’ it will be marked as ‘unidentified developer’.
I’m totally puzzled by this. I have added a new bug report with the same explanation including the reply I previously got.
I get asked what Apple actually earns in making life so hard for developers willing to support the platform, and can say it’s for security and blah blah blah, will not convince me, sometimes it makes me want to give up!
