Recent

Author Topic: MacOS App Signing and Notarizing  (Read 668 times)

axisdj

  • New Member
  • *
  • Posts: 46
MacOS App Signing and Notarizing
« on: July 24, 2020, 03:37:00 pm »
I wonder if any here have successfully got a MACos app signed. I have battled with it for a few days and keep running into problems. I have read over and over all the wiki's and attempted each step by step.

here are my questions:
1. many of the docs and tools require different certificates, when downloading from Apple site they are very hard to deciefer
2. I got to the point where I was able to sign an app, partially but it broke the app because if hardened the bundle  ( I ship 3rd party dynlibs )
3. I then tried entitlements but that did not seem to work

I tried this: https://gitlab.com/ccrdude/lazarus-mac-application-wizard, again I got the app to sign but it broke functionality and the Gatekeeper says Unnotarized Developer ID.

I know I may not have posted enough detail to help in my current situation, but if anyone has been through this and has any insight or advice it would be greatly appreciated.

I also had a very frustrating instance where I placed the proper incs file and edited the plist, but the icon did not show(Even reboots did not work) until I created the dmg and dragged it out of the mounted drive. 

Sorry about the rant just looking for guidance.

ASBzone

  • Sr. Member
  • ****
  • Posts: 479
  • Automation leads to relaxation...
    • Free Console Utilities for Windows from BrainWaveCC
Re: MacOS App Signing and Notarizing
« Reply #1 on: July 24, 2020, 05:59:43 pm »
I wonder if any here have successfully got a MACos app signed. I have battled with it for a few days and keep running into problems. I have read over and over all the wiki's and attempted each step by step.
...
Sorry about the rant just looking for guidance.

I have zero experience with code signing on the Apple platforms, but have done it repeatedly for Windows.

One of the most helpful vendors in terms of documentation and tools was DigiCert, and they offer some guidance for MacOS code signing.  Perhaps it will help you.

https://www.digicert.com/kb/code-signing/mac-os-codesign-tool.htm

Also: https://developer.apple.com/developer-id/
-ASB: https://www.BrainWaveCC.com

Lazarus v2.0.11 r64032 / FPC v3.2.1-r47152 (via FpcUpDeluxe) -- Windows 64-bit install w/32-bit cross-compile
Primary System: Windows 10 Pro x64, Version 2009 (Build 19042)
Other Systems: Windows 10 Pro x64, Version 2004 (Build 19041) or greater

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1062
  • Former Delphi 1-7, 10.2 User
Re: MacOS App Signing and Notarizing
« Reply #2 on: July 25, 2020, 01:33:49 pm »
One of the most helpful vendors in terms of documentation and tools was DigiCert, and they offer some guidance for MacOS code signing.  Perhaps it will help you.

https://www.digicert.com/kb/code-signing/mac-os-codesign-tool.htm

Also: https://developer.apple.com/developer-id/

Beware: only Apple developer certificates can be used to code sign Mac applications.

See Apple Developer CertificatesCodesigning for macOS and Notiarization for macOS 10.14.5+.
« Last Edit: July 25, 2020, 01:35:32 pm by trev »
o Lazarus v2.1.0 r63871, FPC v3.3.1 r47164, macOS 10.14.6, Xcode 11.3.1
o Lazarus v2.1.0 r64160, FPC v3.3.1 Nov 27 21:16:31, macOS 11.0.1 (aarch64), Xcode 12.2
o Lazarus v2.1.0 r61574, FPC v3.3.1 r42318, FreeBSD 12.1 amd64 (VMware VM)
o Lazarus v2.1.0 r61574, FPC v3.0.4, Ubuntu 20.04 (PD VM)

ChrisR

  • Full Member
  • ***
  • Posts: 174
Re: MacOS App Signing and Notarizing
« Reply #3 on: July 25, 2020, 08:30:27 pm »
Ryan Joseph helped my work out App Notarization. I tried to describe details here
  https://github.com/neurolabusc/NotarizeFPC
The bash script below provides a skeleton for notarizing a MacOS app. You need to set up the first few lines to provide specific details regarding your application. It is remarkable that this process is so convoluted and poorly documented. One would think that the worlds most valuable company could invest in developing nice wrappers and clear documentation for this process. At least Xcode hides most of these issues from developers...


Code: Bash  [Select][+][-]
  1. #APP_NAME
  2. # name of application, e.g. MyApp.app
  3. APP_NAME=MyApp
  4. #APP_DIR
  5. # folder with App and other files, typically includes executable and symbolic link to applications folder:
  6. #  /Users/chris/MyApp/MyApp.app
  7. #  /Users/chris/MyApp/Applications
  8. #ln -s /Applications Applications
  9. APP_DIR=/Users/chris/
  10. #DEV_NAME
  11. # Name of Apple Developer
  12. DEV_NAME=Chris Robin
  13. #APP_SPECIFIC_PASSWORD
  14. # Specific password for application, created on Apple Web Site
  15. APP_SPECIFIC_PASSWORD=abcd-abcd-abcd-abcd
  16.  
  17. cd ~/Neuro/${APP_NAME}
  18.  
  19.  
  20. #https://stackoverflow.com/questions/2870992/automatic-exit-from-bash-shell-script-on-error
  21. # terminate on error
  22. set -e
  23.  
  24. xattr -cr ${APP_NAME}.app
  25.  
  26. echo "Code signing ${APP_NAME}..."
  27. #2018 codesign -s "Developer ID Application: Christopher Rorden"  MRIcroGL.app
  28. codesign -vvv --force --deep --strict --options=runtime --timestamp  -s "Developer ID Application: ${DEV_NAME}" ${APP_NAME}.app
  29. codesign -vvvv --deep --strict ${APP_NAME}.app
  30. codesign -dv --verbose=4 ${APP_NAME}.app
  31.  
  32. cd ..
  33. # Clean up temporary files
  34. rm -f ${APP_NAME}_macOS.dmg
  35. rm -f upload_log_file.txt
  36. rm -f request_log_file.txt
  37. rm -f log_file.txt
  38.  
  39. hdiutil create -volname ${APP_NAME} -srcfolder ${APP_DIR}${APP_NAME} -ov -format UDZO -layout SPUD -fs HFS+J  ${APP_NAME}_macOS.dmg
  40.  
  41.  
  42. codesign -s "$CODE_SIGN_SIGNATURE" ${APP_NAME}_macOS.dmg
  43. # Notarizing with Apple...
  44.  
  45. echo "Uploading..."
  46. xcrun altool --notarize-app -t osx --file ${APP_NAME}_macOS.dmg --primary-bundle-id com.mricro.${APP_NAME} -u $APPLE_ID_USER -p $APP_SPECIFIC_PASSWORD --output-format xml > upload_log_file.txt
  47.  
  48. # WARNING: if there is a 'product-errors' key in upload_log_file.txt something went wrong
  49. # we could parse it here and bail but not sure how to check for keys existing with PListBuddy
  50. # /usr/libexec/PlistBuddy -c "Print :product-errors:0:message" upload_log_file.txt
  51.  
  52. # now we need to query apple's server to the status of notarization
  53. # when the "xcrun altool --notarize-app" command is finished the output plist
  54. # will contain a notarization-upload->RequestUUID key which we can use to check status
  55. echo "Checking status..."
  56. sleep 20
  57. REQUEST_UUID=`/usr/libexec/PlistBuddy -c "Print :notarization-upload:RequestUUID" upload_log_file.txt`
  58. while true; do
  59.   xcrun altool --notarization-info $REQUEST_UUID -u $APPLE_ID_USER -p $APP_SPECIFIC_PASSWORD --output-format xml > request_log_file.txt
  60.   # parse the request plist for the notarization-info->Status Code key which will
  61.   # be set to "success" if the package was notarized
  62.   STATUS=`/usr/libexec/PlistBuddy -c "Print :notarization-info:Status" request_log_file.txt`
  63.   if [ "$STATUS" != "in progress" ]; then
  64.     break
  65.   fi
  66.   # echo $STATUS
  67.   echo "$STATUS"
  68.   sleep 10
  69. done
  70.  
  71. # download the log file to view any issues
  72. /usr/bin/curl -o log_file.txt `/usr/libexec/PlistBuddy -c "Print :notarization-info:LogFileURL" request_log_file.txt`
  73.  
  74. # staple
  75. echo "Stapling..."
  76. xcrun stapler staple ${APP_NAME}_macOS.dmg
  77. xcrun stapler validate ${APP_NAME}_macOS.dmg
  78.  
  79. open log_file.txt
  80.  

ASBzone

  • Sr. Member
  • ****
  • Posts: 479
  • Automation leads to relaxation...
    • Free Console Utilities for Windows from BrainWaveCC
Re: MacOS App Signing and Notarizing
« Reply #4 on: July 26, 2020, 04:26:05 am »
It is remarkable that this process is so convoluted and poorly documented. One would think that the worlds most valuable company could invest in developing nice wrappers and clear documentation for this process. At least Xcode hides most of these issues from developers...

Ha!  Most things pertaining to encryption are poorly documented and cumbersome to implement for many of these major, valuable corporations.

Glad you got your issue worked out, though.   Thanks for the write up.
-ASB: https://www.BrainWaveCC.com

Lazarus v2.0.11 r64032 / FPC v3.2.1-r47152 (via FpcUpDeluxe) -- Windows 64-bit install w/32-bit cross-compile
Primary System: Windows 10 Pro x64, Version 2009 (Build 19042)
Other Systems: Windows 10 Pro x64, Version 2004 (Build 19041) or greater

ChrisR

  • Full Member
  • ***
  • Posts: 174
Re: MacOS App Signing and Notarizing
« Reply #5 on: July 27, 2020, 03:41:01 pm »
This is another great resource for this topic:
  https://wiki.freepascal.org/Notarization_for_macOS_10.14.5%2B

 

TinyPortal © 2005-2018