Notarization & hardening for macOS non-App Store Apps?

Monte Goulding monte at appisle.net
Thu May 9 20:42:06 EDT 2019 

Looks like the hardened runtime needs —options=runtime

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc <https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc>

For the others are you using —force —deep to ensure you replace any existing code signatures?

> On 10 May 2019, at 10:29 am, kee nethery via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> Help.
> 
> I volunteered to research this topic and present on it. I’ve documented the process to upload to the App Store, figured this would be less steps and I could figure it out and present on it at the LiveCode conference (as well as document it on the lessons web site).
> 
> There are two issues I’m running into and I could sorely use some help if any of you have gone through this notarization process on a macOS app. 
> 
> Kee Nethery
> 
> ——— TLDR ——— 
> 
> The developer ID certificate is the same one used to sign an app on the AppStore and it is not expired so … I’m really stumped as to why it is not signed with a valid Developer ID.
> 
> I set the —timestamp flag in the codesign command so it should have gotten a timestamp. Again, WTF?
> 
> And once those get resolved, without using Xcode, I have no idea how to “have the hardened runtime enabled”.
> 
> In specific I get the following error report.
> 
> 
> 
> 
> {
>  "logFormatVersion": 1,
>  "jobId": "44f6d3f6-520b-4993-89af-3290ae2709c5",
>  "status": "Invalid",
>  "statusSummary": "Archive contains critical validation errors",
>  "statusCode": 4000,
>  "archiveFilename": "99_Bottles.pkg",
>  "uploadDate": "2019-05-08T00:41:02Z",
>  "sha256": "8f51bb68f65c36beed94c717d1bb49a146e927fe591aa4f3755aba2793bab7b3",
>  "ticketContents": null,
>  "issues": [
>    {
>      "severity": "error",
>      "code": null,
>      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/revsecurity.dylib",
>      "message": "The binary is not signed with a valid Developer ID certificate.",
>      "docUrl": null,
>      "architecture": "x86_64"
>    },
>    {
>      "severity": "error",
>      "code": null,
>      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/revsecurity.dylib",
>      "message": "The signature does not include a secure timestamp.",
>      "docUrl": null,
>      "architecture": "x86_64"
>    },
>    {
>      "severity": "error",
>      "code": null,
>      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
>      "message": "The binary is not signed with a valid Developer ID certificate.",
>      "docUrl": null,
>      "architecture": "x86_64"
>    },
>    {
>      "severity": "error",
>      "code": null,
>      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
>      "message": "The signature does not include a secure timestamp.",
>      "docUrl": null,
>      "architecture": "x86_64"
>    },
>    {
>      "severity": "error",
>      "code": null,
>      "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
>      "message": "The executable does not have the hardened runtime enabled.",
>      "docUrl": null,
>      "architecture": "x86_64"
>    }
>  ]
> }
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list