Oct 10, 2019 Windows users spend much more time maintaining and messing with the nuts and bolts of their device than Mac users have to. The Mac is like a sheet of clean white paper with beautiful type on it, and Windows is like an industrial sheet of paper with mono spaced bit mapped type on it. Windows computers can be bought for a few hundred bucks. In Xcode 10 and later, this workflow includes an option to notarize your macOS app automatically. To notarize your app using this workflow, do the following: Open your Xcode project. Create an archive of your app. Open Xcode's Organizer window. In the Archives tab, select the archive you created. Click Distribute App to view the distribution options. Create Exe inside GMS2. This will build your.app as per usual (ignore the.app.zip) Send the.app to Apple via Application Loader in the normal way. This will perform the notarisation and stapling automatically as part of the upload and initial submission process. MacOS VM building for any other form of distribution.
** Please note: WordPress keeps mangling my code examples by changing double dash to single dash. I tried to fix it. But it changed them all back again! If anyone knows how to get around this, please put something in the comments. **
Jun 04, 2019 Sign with a valid Developer Id. Use electron-notarize to notarize your app. Don’t sign your dmg. That’s right, notarizing your app takes 4 steps, of which just one is actually, well, notarizing the app. Apple decided to sneak in a couple more requirements alongside notarization that. Gatekeeper then places descriptive information in the initial launch dialog to help the user make an informed choice about whether to launch the app. Now, since the procedure has become mandatory beginning with MacOS Catalina 10.15, it is impossible to launch a non-notarized application. Liberica JDK is a notarized product. Notarizing Mac OS app built with Corona SDK no longer working. Packaged using Maven. Recommend user to download and set Java in system path to launch the tool. Batch file for windows and.command file for Mac. Java macos notarize. This plugin is intended for distribution outside of Mac appstore. Xcrun altool -notarize-app.
Apple now wants you to ‘notarize’ your software. This is a process where you upload your software to Apple’s server so it can be scanned and certified malware free. This will probably become compulsory at some point, even (especially?) if your software isn’t in the Apple app store. Apple says:
Give users even more confidence in your software by submitting it to Apple to be notarized. The service automatically scans your Developer ID-signed software and performs security checks. When it’s ready to export for distribution, a ticket is attached to your software to let Gatekeeper know it’s been notarized.
…
When users on macOS Mojave first open a notarized app, installer package, or disk image, they’ll see a more streamlined Gatekeeper dialog and have confidence that it is not known malware.
…
Note that in an upcoming release of macOS, Gatekeeper will require Developer ID signed software to be notarized by Apple.
Documentation on notarization is a bit thin on the ground, especially if you want to notarize software that wasn’t built using XCode (I build my software using QtCreator). So I am writing up my experiences here.
First you need to ensure you have macOS 10.14 and XCode 10 installed (with command line tools) and you need a current Apple developer account.
Codesign your app with ‘hardened runtime’ using –options runtime :
codesign –deep –force –verify –verbose –sign “Developer ID Application:<developer id>” –options runtime <app file>
E.g.:
codesign –deep –force –verify –verbose –sign “Developer ID Application: Acme Ltd” –options runtime myApp.app
A ‘hardened runtime’ limits the data and resourced an application can access. I’m not sure what the exact ramification of this are. But it doesn’t seem to have restrict my software from doing anything it could do previously.
You can check the signing with:
codesign –verify –verbose=4 <app file>
E.g.:
codesign –verify –verbose=4 myApp.app
Now package your app into a .dmg (e.g. using DropDMG). Then upload the .dmg to Apple’s servers:
xcrun altool -t osx -f <dmg file> –primary-bundle-id <bundle id> –notarize-app –username <username>
E.g.:
xcrun altool -t osx -f myApp.dmg –primary-bundle-id com.acme.myapp –notarize-app –username [email protected]
You will be prompted for your Apple developer password (or you can include it on the command line).
You now have to wait a few minutes. If the upload is successful “No errors uploading ” will be shown and a unique ID will be returned. You then have to use this to request your upload be scanned:
xcrun altool –notarization-info <notarize ID> -u <username>
E.g.:
xcrun altool –notarization-info xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx -u [email protected]
You will be prompted for your Apple developer password (or you can include it on the command line).
Hopefully you will see “Status Message: Package Approved”. If the notarization fails, you should be sent a link to an online log file describing the issue. If the notarization completes successfully you need to ‘staple’ the results to your .dmg:
xcrun stapler staple -v <dmg file>
E.g.:
xcrun stapler staple -v myApp.dmg
The stapler outputs a log including some odd phrases. Mine included: “Humanity must endure”, “Let’s see how that works out. “, “Adding 1 blobs to superblob. What about Blob?” and “Enjoy”. Weird. Hopefully it will end with “The staple and validate action worked!”.
Finally you can unpack your .dmg into a .app and verify it with:
spctl -a -v <app file>
E.g.
spctl -a -v /Applications/myApp.app
On macOS 10.14 (but not earlier OSs) it should say “source=Notarized Developer ID”. Your software should now run on 10.14 without a warning dialog. Congratulations!
It all seems rather clumsy. As you have to wait asynchronously for the unique ID to be returned from step 1 before you can complete step 2, it is not easy to fully automate in a script. This is a major pain the arse. If anyone works out a way to automate it the whole process, please let me know.
Here are some links to the various posts that I gleaned this information from:
https://cycling74.com/forums/apple-notarizing-for-mojave-10-14-and-beyond
https://www.mbsplugins.de/archive/2018-11-02/Notarize_apps_for_MacOS
https://forum.xojo.com/50655-how-to-codesign-and-notarise-your-app-for-macos-10-14-and-highe
https://forum.xojo.com/49408-10-14-hardened-runtime-and-app-notarization/11
https://stackoverflow.com/questions/53112078/how-to-upload-dmg-file-for-notarization-in-xcode
https://lapcatsoftware.com/articles/debugging-mojave.html
https://www.mbsplugins.de/archive/2018-11-02/Notarize_apps_for_MacOS
https://forum.xojo.com/50655-how-to-codesign-and-notarise-your-app-for-macos-10-14-and-highe
https://forum.xojo.com/49408-10-14-hardened-runtime-and-app-notarization/11
https://stackoverflow.com/questions/53112078/how-to-upload-dmg-file-for-notarization-in-xcode
https://lapcatsoftware.com/articles/debugging-mojave.html
Notarize Mac Apps Built On Windows 7
Apple sent the following message out to developers yesterday:
Dear Developer, We’re working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple. With the public release of macOS 10.14.5, we require that all developers creating a Developer ID certificate for the first time notarize their apps, and that all new and updated kernel extensions be notarized as well. This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface. In addition, we’ve made the following enhancements to the notarization process. Legacy code is fully supported, even if it contains unsigned binaries. While new software and updates require proper signatures in order to be notarized, you can upload your existing software as-is.Apps with plugin ecosystems are better supported.Stapler supports all types of bundles and plugins.Xcode 10.2 adds secure timestamps and other code signing options required by the notary service.Related documentation has also been improved. We encourage you to take look at Notarizing Your Apps Before Distribution and Hardened Runtime Entitlements. If you have any questions, contact us. Best regards, Apple Developer RelationsTM and © 2019 Apple Inc. One Apple Park Way, MS 301-1TEV, Cupertino, CA 95014. All Rights Reserved | Privacy Policy | Account If you would prefer not to receive future communications from Apple Developer, you may unsubscribe. |
Many organizations have a solution to automate their build process for software and will need to now add submitting an app for notarization to this process. Before you start, there are a few things you should know:
- This is an automated scan that usually takes about 20 minutes and requires at least the 10.9 macOS SDK.
- Before submitting, make sure code-signing has been enabled for all executables and that you enabled the Hardened Runtime option.
- Find a workaround if you’re setting com.apple.security.get-task-allow to true for any reason.
- Make sure to use an Apple Developer ID instead of a local cert from Xcode for apps and kexts. And make sure all code-signing certs have a timestamp when running your distribution workflows in Xcode or if using codesign make sure to add –timestamp.
You can use any tools for the next steps. Because I have a Bamboo setup on my desk, next I’m going to open it and create a command task. To do so:
- Open the Tasks configuration tab for a job (or default job in a new plan).
- Click Add Task.
- Add a Task Description, which is just how the task is described in the Bamboo interface.
- Uncheck the box to “Disable this task”
- Provide a path to the command executable, which in this case will be a simple bash script that we’ll call /usr/bambooscripts/notarize.sh. If you’re stringing workflows together you might add other scripts as well (e.g. a per-product script as opposed to a generic script that takes positional parameters for arguments).
- Provide any necessary Arguments. In this case it’ll just be a simple job but you can reduce the work by adding arguments for processing paths of different products.
- Provide any necessary Environment Variables. We won’t use any in this project.
- Provide any necessary “Working Sub Directory” settings, which is an alternative directory rather than using a relative path. If you don’t provide a working sub directory, note that Bamboo looks for build files in the root directory.
- Click the Save button (as you can see below).
Now we’ll need to use scrub with the altool. Here, we’ll use the –notarize-app option and then define the bundle (using the reverse naming convention you’ve always used for the –primary-bundle-id option and then the username and password from your Apple ID linked to your Developer ID and finally the –file which is the zipped output from Xcode.
#!/bin/bash/usr/bin/xcrun/xcrun altool --notarize-app --primary-bundle-id 'com.myorg.myproduct” --username “[email protected]” --password “icky_passwords“ --file '/Users/krypted/Documents/myproduct.zip'
We'll call this script /usr/bambooscripts/notarize.sh and then let the job pick it up and process it.
Oh funny. I just noticed Rich Trouton posted a writeup on Notarization at https://derflounder.wordpress.com/2019/04/10/notarizing-automator-applications/. I'd read that as well.