The reason it is not working is more than likely the amnesty apple had for non hardened runtime apps being notarized has ended. This was meant to run out around August last year but they extended until Jan this year. Basically you need to build with a version of Xojo with the hardened runtime, 2018rSomething and later, and then do a deep codesign after all your builds.
I build and release many apps through a pkg file without using the app wrapper, but I use Packages instead to build.
This is also not for app store either.
I build on Xojo 2019r1.1 on 10.14.6 and this works on Catalina just fine.
Not sure about entitlements, as I dont use them.
This is the process for my manual code sign process.
- Add a code script after build and add the follow logic
- Run script “xattr -rc PATH_TO_APP” to clean out existing codesigning
- Run script “codesign --force --options runtime --deep --sign ‘Developer ID Application: YOURNAMEHERE’ PATH_TO_APP/Contents/Frameworks/*.dylib” codesign any librarys, mbs etc
- Run script “codesign --force --options runtime --deep --sign ‘Developer ID Application: YOURNAMEHERE’ PATH_TO_APP”
- Validate code signing using “spctl -a -t exec -vv PATH_TO_APP”
NOTE: if your source code is on a exFat drive you cannot codesign on it. You have to manually compress, move to local drive, codesign, compress and move back. I have a shared drive i work off between mac and windows using bootcamp and found this issue. I tried using NTFS for mac but xojo could not work with it for some reason (always readonly)
If you have more than one app, eg helper apps, you need to do the above with all of them.
Build Pkg, Packages has built in codesigning with productsign so your above script will work
If you have a single team against your apple ID then use
xcrun altool -t osx -f SHELL_PATH_TO_PKG --primary-bundle-id com.yourcompany.yourappname --notarize-app --username APPLE_ID@EMAIL.COM -p APPLE_PWD
If you have mulitple teams then find your itc_provider and use
xcrun altool -t osx -f SHELL_PATH_TO_PKG -itc_provider YOUR_ITC_PROVIDER --primary-bundle-id com.yourcompany.yourappname --notarize-app --username APPLE_ID@EMAIL.COM -p APPLE_PWD
This returns UID on success and you can check the status with
xcrun altool --notarization-info UID -u APPLE_ID@EMAIL.COM -p APPLE_PWD
If there is a problem it will return an url to a log
When successful staple together
xcrun stapler staple SHELL_PATH_TO_PKG
- Compress, rename and upload to server.