Xojo Post Build Script Example 4u: CodeSign, DMG creation and Notarization

I’ve updated the example Xojo project «Xojo2DMG v0.9.4»
The minor tweaks might be helpful in case something doesn’t work as expected with the Shell Script that’s provided. That’s the part that does all the “tricky stuff”.

  • added some more echo-output to the Shell Script. In case of an error this helps identifying what has gone wrong, and by comparing with the Shell Script you’ll find the offending command(s).
  • In case of an error, the output of the Shell Script is available in Clipboard. That’s because by running the Script “hidden”, you don’t see what’s going on behind the scenes.
  • As an alternative: added a Boolean property in the PostBuild Script, which allows to run the Shell Script in Terminal (so that you can observe what’s going on)

Just a question : What’s wrong with DMGCanvas ?

Most probably: nothing :slight_smile: AppWrapper, DMGCanvas, … - nice and easy to use tools. They are recommended by most users in this forum.

There are developers out there that want to have full control over the process themselves. Or some company rules don’t allow for 3rd party products being involved. Or other reasons…
Then the Xojo Documentation: Mac Code Signing or examples such as «Xojo2DMG v0.9.4» are helpful (and maybe all that’s needed).

DMG Canvas requires a license to use the command line tools, AppWrapper requires a license, Xojo requires a license, MBS requires a license…

These costs can add up, so I would say that this script offers an easier way for someone with a tighter budget to automate the code signing process. And I would say that’s a totally fair reason.

My only concern is mentioned above, but Jürg offers a workaround for it.

Just for fun… I’ve updated Xojo2DMG . It’s now codesigning with TimeStamp and hardened runtime, and allows to perform a fully automated/scripted Notarization.

You can try it “as is”. Read the comments (in both Xojo PostBuild Script, and ShellScript), modify according to your needs.
Look at it just as an example of how to do it all yourself, fully scripted and automated.
It’s possible. But it’s also likely you’re running into issues. That’s when you don’t get any support from Xojo2DMG, which you would get (and much more) by AppWrapper.

credits go to @Thom McGrath for the original Notarization Shell Script. I’ve used quite some of that…

And there is another Update to Xojo2DMG. v0.9.6 has added:

  • Stripping out i386 parts of XojoFramework (it’s not needed in 64Bit Builds… makes the .app a bit more leight-weight)
  • Support for CodeSign Entitlements (required for CodeSign with Hardened Runtime, e.g. for applications that use AppleEvents/Automation or XojoScript)
  • Notarization (since v0.9.5)

Just because it’s been fun to play again with Xojo2DMG… I’ve added another couple of features in Xojo2DMG v0.9.7.
Especially for those of you who are distributing a CodeSigned and Notarized macOS application that uses features that need special Entitlements.
Let’s say an application is using XojoScript. That works just fine while debugging (without CodeSign, without Hardened Runtime). However, with missing Entitlements the distributed (and now codesigned) app will crash. You might haven’t even noticed, since DebugBuilds have been working just fine. So it gets more and more important to CodeSign (with Hardened Runtime) the DebugBuilds, too.

And that’s exactly what I wanted to do…:

  • You can enable CodeSigning (with Hardened Runtime) for DebugBuilds.
  • That way you get (mostly) the same behavior while Debugging as you get in a distributed (Codesigned and Notarized) app.
  • Xojo2DMG will (optionally) just CodeSign every DebugBuild. Release builds will of course continue to be packaged into a customizable DMG, sent to Notarization.
  • The Notarization Ticket will be stapled to both .dmg and .app, and the application (including Notarization Ticket) will be compressed to a .zip. Most likely you will only want the .dmg. Still, having another .zip with the fully processed/notarized app might be useful for some situation or another.
  • Improved Framework Detection (to strip out i386 Parts in 64Bit Builds)
  • CodeSign with Hardened Runtime: requires macOS 10.13.6 (otherwise CodeSign without Hardened Runtime)
  • Notarization: requires macOS 10.13.6 (otherwise this step is being ignored)
  • Updated the example application with XojoScript and AppleScript/Automation, to test behavior of CodeSign, Entitlements and ReleaseBuilds.
  • Just for fun you could: disable the Entitlements required for XojoScript, and run a CodeSigned DebugBuild. You’ll notice that the app will i[/i] crash, such as a ReleaseBuild would do if the Entitlements are missing :wink:
  • Fixes a couple of minor issues in the main Shell Script. It’s still a bit messy, one could always do much more… sorry about that - but hey, it works just fine (for me at least) :wink:

Even if you are not going to use Xojo2DMG (I still think AppWrapper is an even better solution - and it comes with support)think about CodeSigning your own DebugBuilds, too. Your customers will thank you for that :slight_smile:

fwiw… I’ve tested the last update only on macOS 10.14.6 (along with Xcode 11.2.1 for the CodeSigning and Notarization part).
I’m also curious to know if someone else has tried it, and if so if it’s working and helpful for others, too? Do you like the refactored Script which now allows to CodeSign the DebugRuns?
I hope I have covered building (and overriding some capabilities that need a later OS version) on various macOS versions… but it’s likely I have missed some things since I currently only use 10.14.6 for Development on macOS… so thanks for letting me know what is (not) working.

I downloaded it for future reference, because my Xcode is still 10.1. Thank you.

One last update to Xojo2DMG v0.9.8 for now…

  • Added more comments in the PostBuildScript so that you can even better understand what’s going on on how to configure the behavior of Xojo2DMG (and it’s ShellScript that’s being executed)
  • CodeSign of 64Bit DebugBuilds will not strip i386 parts in Frameworks (so DebugRuns are ready without that delay)
  • 64Bit ReleaseBuilds with CodeSigning will continue to strip i386 part in Frameworks
  • Since you have asked for it off-forum: included a link to my PayPal account (Xojo2DMG is free, but feel free to say thanks that way)

So it should all be working for Xojo2DMG v0.9.8 to allow you to:

  • DebugRun’s with CodeSign (Hardened Runtime) - to get (mostly) the same behavior when Debugging such as your customers will have when downloading your Notarized ReleaseBuild
  • CodeSign (with Hardened Runtime)
  • auto-magically create a (customizable) DMG (again: CodeSigned)
  • send off to Notarization (fully automated/scripted)
  • you can basically hit “build” in Xojo and get a .DMG ready to upload for distribution on your webserver

What Xojo2DMG will never do:

  • offer support (use it as-it-is)
  • prepare for Mac App Store
    If you want and need that - have a look at AppWrapper.

Yet another update: Xojo2DMG v0.9.9
What’s new or changed?

  • Tested on macOS Catalina 10.15.1 / Xcode 11.2.1
  • Xojo PostBuild Script: Added a new Setting to define whether to perform notarization or not (e.g. just notarize Beta and Final builds, but not Developer/Alpha builds)
  • Creation of .dmg will perform hdiutil internet-enable depending on build OS version (it’s been removed in Catalina…)
  • Xojo PostBuild Script: Note/Example how you could use different .dmg Background Images for Beta / Final builds
  • Checking CodeSign of .dmg: will now be performed after Notarization. That’s because this check will fail with an ErrorCode on Catalina if the .dmg is not notarized. If you decide to not notarize (e.g. put a just CodeSigned Alpha build in a .dmg, but without notarization) then this “check that is known to fail in this situation” will not be treated as an error (you’ll see “Unnotarized DeveloperID” in the Shell-Output, which basically means: CodeSign with DeveloperID is OK, but it’s not notarized)
    I hope it’s still working when using Xojo to build on macOS 10.14.6. And I don’t know at all if CodeSign&Notarization works with 10.13.6, as I don’t have such a system set up any longer…

I hope Xojo2DMG will be useful for some of you, in one situation or another.
And remember: Think about CodeSigning your own DebugBuilds :wink:

so is the next fix 1.0.0 or 0.9.10 ? :stuck_out_tongue:

Does it matter? A 1.0.0 can be as buggy as a 0.9.10 :stuck_out_tongue:
Should I find the time to verify everything works as expected (for now at least… Apple’s requirements are changing every now and then) on 10.13-15, then this could be a reason to make it a 1.0.0. On the other hand: it will never be polished and finished. So a 0.9.27 looks fine for me, too.
So honestly… I don’t care about the version number at all :wink:
I just post the updates because some seem to try or use it, and even be happy with it - thanks to those that have send me “thank you” E-Mails. It’s nice to be able to give something back to this community.

nm - it was in jest

Thanks - I’ve just learnt a new word/expression :slight_smile:
It’s been a good one - leading to thoughts, since I haven’t thought about it at all. I could take it a step further and post a poll to vote what the next version number is going to be :wink:

2019.1 ?

Very cool! I just bought AppWrapper as it was highly recommended (but not easy at all to use), but I’d like to try your effort, Jürg! In my program, will I need everything or just the Xojo2DMGScript?
Also, do you know why I am unable to print out the Xojo2DMGScript? I’d like to print it out to read it. I can print the other parts of your program, just not the Script. I get a blank page when I try…

Guess I should read the instructions, which say to copy the “Scripts” folder to my project’s folder, and add your Xojo2DMGScript (edited of course). Just to confirm - I need nothing else from the “demo” app? (modAppleScriptUtils/XojoScriptEvaluator/Info, etc.)

yup - that’s what they are for :wink:

Then you have the xojo2dmg.sh ShellScript in place (which will be called from the Xojo PostBuild Script).
And you can of course replace the BackgroundImages for the .dmg (or link to other ones in the Xojo PostBuild Script).

Correct. In your project you’re adding a new macOS PostBuild Step (a Script), and copy-paste from the xojo2dmg example project.
Modify to supply your CodeSigning info, adjust the dmg creation according to your layout needs. Read the comments (to set up Keychain item for Notarization). Edit values (want to CodeSign DebugRuns or not, …).

No. None of that is needed at all. That’s just to have an application as an example (and it contains the AppleScript/Automation stuff just to see, try and debug if everything is working and/or expectedly crashing with/without Codesign/Notarization).
All you need is the PostBuild Script (that needs to be added in your Xojo project), and the ressources in the scripts folder (needs to be placed in the project folder as ‘external files’, which are not part of the Xojo project within the IDE).

No idea. If that’s important to you, file a Feedback case. Well possible the IDE doesn’t print PostBuild Scripts or something like that.
You can of course just copy-paste the contents to some TextEditor, and print from there.

Thank you very much.
Your test program unfortunately fails, complaining that “$PROJECT_PATH” is blank?
Yes, I did fill in sCODESIGN_IDENT, but did nothing else.

Maybe there’s more I need to do? - I’ll see if I can print out the script to look.

Here’s what’s shown in Terminal when I try building:

[code]"/Users/andyb/Downloads/Software/Programming/Xojo/xojo2dmg/scripts/xojo2dmg.sh" “$PROJECT_PATH” “/Users/andyb/Downloads/Software/Programming/Xojo/xojo2dmg/Builds - Xojo_2_DMG.xojo_binary_project/OS X 64 bit” “Xojo 2 DMG” “release” “yes” “Xojo 2 DMG Beta” “Xojo 2 DMG 0.9.9” “$PROJECT_PATH/scripts/resources/volumeicon.icns” “$PROJECT_PATH/scripts/resources/backgroundImage_1x.png” “$PROJECT_PATH/scripts/resources/backgroundImage_2x.png” “copy 2 Applications” “200, 100, 845, 585” “128” “16” “160, 340” “500, 340” “$PROJECT_PATH/scripts/resources/volumeicon.icns” “64Bit” “Developer ID Application: Andrew Broughton” “$PROJECT_PATH/scripts/resources/entitlements.plist” “yes”
Xojo2DMG: reading input variables…

Xojo2DMG: checking input variables…
Xojo2DMG ERROR: $PROJECT_PATH is empty.
NEW_CP1_DHCP_INSTANCE_0:~ andyb$
[/code]