Recent

Author Topic: CodeSign and Notarize procedures  (Read 206 times)

rossh_lz

  • New member
  • *
  • Posts: 5
CodeSign and Notarize procedures
« on: July 31, 2019, 03:34:22 pm »
I posted some years ago, how to Codesign outside the X-Code:
(https://forum.lazarus.freepascal.org/index.php/topic,17712.0.html).


But now Apple have added App Bundle notarizing, where they co-sign the bundle.


The procedure I am using now is (new is bold):


Setup:
1/  Join the Mac Dev Center through Appstore.  $99 a year - suck it up.
2/  In the Dev center, go to the certificate section, and create 2 certificates:  Go to: Certificates ->  + to create new -> Production ->  Developer ID ->  (1) Developer ID Application, and (2) Developer ID Installer.  You do this in conjunction with KeyChain utility program and its Assistant and request a cert (use the saved to disk method)
3/  Download those two certs and install into your KeyChain (click the cer file).
4/  Download two more intermediate certs - Go to: Certificates ->  + to create new -> Intermediate certs, and get both WWDR and Developer ID Intermediate cert.  You might already have these.  Install these to your KeyChain.

Signing:
5/  Sign your .app bundle:
/usr/bin/codesign -f -o runtime --timestamp -s "Developer ID Application: My Software Corp." /path/to/my/app/bundle.app

6/  Make your package file with your signed .app above

7/  Sign your .pkg file:
/usr/bin/productsign --sign "Developer ID Installer: MyCoName inc." /input/path/to/package.pkg  /OUTPUT/path/for/the/result.pkg

8/  Make your .dmg file as required.


Notarizing:
9/  Upload finished dmg to Apple:
/usr/bin/xcrun altool --notarize-app --primary-bundle-id "com.software.myapp.random" -u "me@mysoftware.com" -p "my_password" -t osx -f /path/to/my/dmg/file.dmg

10/  wait.... check progress with:
/usr/bin/xcrun altool --notarization-history 0 -u "me@mysoftware.com" -p "my_password"

11/  After the above step registers "Package Approved"
/usr/bin/xcrun stapler staple  /path/to/my/dmg/file.dmg


Done.

To verify, install the app and call
/usr/bin/spctl -a -v /Applications/myappbundle.app
which will return "accepted" if all OK.


***************

Notes:
Step  9 requires you to have a new 2FA application sign in's. see:
https://support.apple.com/en-us/HT204397

Apples guide to notarizing:
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc

I am still using the PackageMaker utility app to make the packages, and all is well.  But its days are numbered (32 bit app).  I will have to move onto the pkgbuild and productbuild one day soon.


jwdietrich

  • Hero Member
  • *****
  • Posts: 1025
    • formatio reticularis
Re: CodeSign and Notarize procedures
« Reply #1 on: August 10, 2019, 06:57:15 am »
Thanks for providing this important information. Would you mind to update the corresponding wiki page?
function GetRandomNumber: integer; // xkcd.com
begin
  GetRandomNumber := 4; // chosen by fair dice roll. Guaranteed to be random.
end;

http://www.formatio-reticularis.de

Lazarus 2.0.2 | FPC 3.0.4 | PPC, Intel, ARM | macOS, Windows, Linux