I mean, nothing is stopping you from notarizing it. If you look at the steps I outlined before, you’d just cut out the final zip step. Zip the app, send to Apple, staple the receipt to the bundle. Just don’t zip it again. Or you could tar it instead. It’s just that notarization isn’t really intended for trusted apps. And most distribution happens over the internet anyway, where some kind of packing would be necessary.
When you use App Wrapper to code sign and notarise your app, a folder is created.
Inside that is the code signed app.
if you choose to build a PKG file at the same time, you get one of those too, notarised.
You may as well build one.
If you give the PKG to your colleagues they can install it as normal.
if you give them an app bundle on a memory stick they can start it from there by doing the ‘open’ trick, although the Mac may well then decide to translocate it (a kind of mini sandboxing which is yet another security measure - it isolates your app and mini-sandboxes it)
Yes, there are (- just - ) still ways around Apple’s security measures, but in the end you may find it is less painful to pay, and do it ‘their way’ (whatever their way happens to be this afternoon)
As a long time shipper of Xojo product for mac machines, I find myself every single year wondering ‘is this the year when Apple mess things up so much that its not worth trying any more’
There have been some major hiccoughs along the way, but Xojo , App Wrapper, and MBS plugins have kept me going.
I really appreciate all of the feedback and suggestions in this thread. It looks like I’m making headway, but not yet successful at getting my app fully signed and notarized. Here’s what I’ve done so far.
- Installed XCode on my Mac mini which is running Big Sur
- Created a Developer Cert for apps to distribute outside of the App Store
- Created an ID for my App, hopefully I’ve done that correctly
- I purchased DMGCanvas because my understanding was it could create the DMG file and Sign and Notarize the app.
- I configured DMGCanvas with my Apple ID and Password
- I set DMGCanvas to sign and Notarize the app which I selected for it.
- I clicked the Build button in DMGCanvas and get the following error:
I’m not sure why it can’t upload the file, it’s what I added to DMGCanvas.
Thoughts?
Hate to be “that guy” but what’s under “Show Details” ? Perhaps there’s more information about the error there? Sometimes you have to sign documents in your account before you can notarize.
1 Like
You might also have to obtain an Installer certificate. You can download it from the dev site, or directly from within Xcode.
Also, as I noted above, I believe that DMGCanvas only signs the .dmg. There is still the matter of signing the bundle first. That’s where AppWrapper would come in.
The Show Details has so far ignored the show details 
I distribute entirely with App Wrapper and don’t really have anything else to suggest for DMG Canvas. I would recommend App Wrapper and distributing as ZIP. Works great for my apps 
AppWrapper can also be set to work seamlessly with DMGCanvas and some others. If you do this, you will have AppWrapper handle the entire process. If you set DMGCanvas for notarization, you will have to wait as you’ll go through the notarization process twice.
1 Like
I’d love to use just DMGCanvas if possible, but if AppWrapper is needed, that’s fine too. I’m finding this whole process to be extremely and unnecessarily convoluted / confusing which pretty much falls on Apple in my opinion. And trying to use two tools with different approaches isn’t helping, LOL
Can someone point me in the direction of a simple to follow step by step process to get an app signed, notarized and packaged? Hopefully with DMGCanvas since I already purchased that. This entire process is new to me, and it’s very time consuming to jump all over the place when something is missed to understand and correct the issue.
Signed Frustrated
Well, the two tools can in fact be used together, in a unified workflow. They are not “different approaches”. AppWrapper is first and foremost a signing utility. DMGCanvas is an installer maker.
As Tim said, you can have AppWrapper make a zip, submit that for notarization, and leave it at that. But some sort of archive format (.zip, .dmg or .pkg) is what you must submit to Apple–not an app bundle.
This is confusing to me since DMGCanvas does create a DMG package that I’ve got it submitting to Apple for Signing and Notarizing (see setting screen clip below). It’s now failing for some other certificate and ID issues I’m trying to figure out.
If you’ve properly installed your certificate, it should be selectable in the bottom popup, and thereafter visible.
My worse wondering, similar to yours, is “is this the year when Apple mess things up so much that Xojo or any other third party programming tools won’t be supported nor useable anymore”. Xcode or nothing… 
It is, and I selected it before trying to build it.
Here’s what I’m getting right now. I thought I’d done most of this, but apparently something isn’t right. There’s also problems I’m not sure how to handle.
{
“logFormatVersion”: 1,
“jobId”: “cb969c99-859d-46f0-8a6b-750e6f991160”,
“status”: “Invalid”,
“statusSummary”: “Archive contains critical validation errors”,
“statusCode”: 4000,
“archiveFilename”: “SimpleMortgageCalculator.dmg”,
“uploadDate”: “2021-10-21T22:29:45Z”,
“sha256”: “230c2401304836528512a2f88d291288825f3c2536119d646500b65f2aef6096”,
“ticketContents”: null,
“issues”: [
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/Frameworks/XojoFramework.framework/Versions/A/XojoFramework”,
“message”: “The binary is not signed with a valid Developer ID certificate.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/Frameworks/XojoFramework.framework/Versions/A/XojoFramework”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/Frameworks/XojoFramework.framework/Versions/A/XojoFramework”,
“message”: “The binary is not signed with a valid Developer ID certificate.”,
“docUrl”: null,
“architecture”: “arm64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/Frameworks/XojoFramework.framework/Versions/A/XojoFramework”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “arm64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/MacOS/Simple Mortgage Calculator”,
“message”: “The binary is not signed with a valid Developer ID certificate.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/MacOS/Simple Mortgage Calculator”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/MacOS/Simple Mortgage Calculator”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/MacOS/Simple Mortgage Calculator”,
“message”: “The binary is not signed with a valid Developer ID certificate.”,
“docUrl”: null,
“architecture”: “arm64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/MacOS/Simple Mortgage Calculator”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “arm64”
},
{
“severity”: “error”,
“code”: null,
“path”: “SimpleMortgageCalculator.dmg/Simple Mortgage Calculator.app/Contents/MacOS/Simple Mortgage Calculator”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “arm64”
}
]
}
This appears to confirm what I thought: that DMGCanvas is only signing the .dmg itself, and not your application. This is a feature, not a bug.
Your app bundle, with all its contents, must be signed before DMGCanvas gets it. To do this easily, AppWrapper is your friend. In all honesty, were you only to purchase one of these tools, AppWrapper would have been the one. But you’ll be happy to have both 
I’m still evaluating AppWrapper, I’m assuming the free trial will let it do it’s job. I’m happy to buy it too if I can get it working. So far, I haven’t been able to satisfy what it needs. 
“Missing private key” is a clue. There is still something wonky in your certificate installation.
Yeah, not sure what the cert issue is. I created and downloaded a key, but not sure how to use it