Notarization & hardening for macOS non-App Store Apps?

kee nethery kee.nethery at elloco.com
Thu May 9 20:29:52 EDT 2019 

Help.

I volunteered to research this topic and present on it. I’ve documented the process to upload to the App Store, figured this would be less steps and I could figure it out and present on it at the LiveCode conference (as well as document it on the lessons web site).

There are two issues I’m running into and I could sorely use some help if any of you have gone through this notarization process on a macOS app. 

Kee Nethery

——— TLDR ——— 

The developer ID certificate is the same one used to sign an app on the AppStore and it is not expired so … I’m really stumped as to why it is not signed with a valid Developer ID.

I set the —timestamp flag in the codesign command so it should have gotten a timestamp. Again, WTF?

And once those get resolved, without using Xcode, I have no idea how to “have the hardened runtime enabled”.

In specific I get the following error report.




{
  "logFormatVersion": 1,
  "jobId": "44f6d3f6-520b-4993-89af-3290ae2709c5",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "99_Bottles.pkg",
  "uploadDate": "2019-05-08T00:41:02Z",
  "sha256": "8f51bb68f65c36beed94c717d1bb49a146e927fe591aa4f3755aba2793bab7b3",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/revsecurity.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/revsecurity.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

More information about the use-livecode mailing list