AW: which entity has to be notarized/stapled?

toolbook at kestner.de toolbook at kestner.de
Thu May 6 05:19:01 EDT 2021


I found an answer to my question here https://developer.apple.com/forums/thread/650288 :

You will need to sign the .pkg installer with Developer ID and notarize it in order for it to install on macOS 10.14.5 and newer. The reason why it may have appeared to work locally was that the pkg wasn't quarantined.

The recommended QA procedure for installation is to start with a fresh macOS VM instance and use Air Drop or a web browser to download the file into it. Then double click on it like a user would. If it installs and runs properly, you can ship it.

DMGs are like zip files -- notarization is not required to open them. However, their contents must be notarized in order to run. You can do one of two approaches:

     Sign the app, put it in the DMG, sign the DMG, then upload the dmg to be notarized.

     Zip up the app and notarize the app separately, then put it in a DMG and distribute the DMG without notarizing it

When you notarize a DMG, pkg, or bundle, everything inside is automatically unpacked and notarized as well. So you only need to upload the "top level" file for notarizing in a single pass, not the contents separately.

You can read a lot more here: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

Tiemo


-----Ursprüngliche Nachricht-----
Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag von Tiemo via use-livecode
Gesendet: Donnerstag, 6. Mai 2021 10:28
An: 'How to use LiveCode' <use-livecode at lists.runrev.com>
Cc: toolbook at kestner.de
Betreff: which entity has to be notarized/stapled?

One question is left for me about notarization and stapling. If you have an app, which is packaged and the package is wrapped in a DMG, which instance should be notarized and which stapled? All three, each one after the other, before proceeding to the next step, or only the outer shell, in this case the DMG?

Is the notarization/stapeling checked by the gatekeeper only once at installation time or at each start of the app?
If I would only notarize and staple the outer DMG, is the notarization and stapling be automatically issued downwards to the content of the DMG down to the package and the app inside the package? Or on the other hand, would it interfere the process, if I would do notarization and stapling at each step?

Thanks for getting some insight in gatekeepers behaviour.

@Matthias: perhaps you want to add this information also in you doc in chapter 7 / 7.5 to clarify this question?

Thanks
Tiemo

-----Ursprüngliche Nachricht-----
Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag von matthias rebbe via use-livecode
Gesendet: Donnerstag, 6. Mai 2021 01:18
An: How to use LiveCode <use-livecode at lists.runrev.com>
Cc: matthias_livecode_150811 at m-r-d.de
Betreff: Re: notarizing DMG fails - solved

Thanks Phil.


@all
I've updated the lesson at

https://lessons.livecode.com/m/4071/l/1122100-codesigning-and-notarizing-your-lc-standalone-for-distribution-outside-the-mac-appstore

now and added detailed information about package installers. 
So it now contains also information about how to create,sign and notarize package installers or package installers on dmg.


It would be really awesome, if someone could check it. I needed to insert some additional steps and i really hope that i did not forget to adjust some references to internal steps.

So please let me if you find any errors, typos or wrong information.

Thanks.

Matthias


> Am 05.05.2021 um 19:49 schrieb Phil Davis via use-livecode <use-livecode at lists.runrev.com>:
> 
> Thank you Matthias! Your tools make my life SO much easier! You have 
> done a great service for this community.
> 
> Phil Davis
> 
> 
> On 5/5/21 2:20 AM, matthias rebbe via use-livecode wrote:
>>> Am 05.05.2021 um 11:10 schrieb Tiemo via use-livecode <use-livecode at lists.runrev.com>:
>>> 
>>> Thank you all for helping my lost soul in Apples notarizing nirvana
>>> 
>>> Tiemo
>>> 
>>> P.S.
>>> Matthias, perhaps you want to add this in your great helpfile - without that it would have taken weeks for me!
>>> 
>> I am currently working on it. ;)
>> First i will just add a note, but later, when i have more free time  i will enhance it to describe all more detailed.
>> 
>> The Helper Stack will also get an update to support package installers. But it takes some time.
>> 
>> 
>> 
>>> -----Ursprüngliche Nachricht-----
>>> Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag 
>>> von matthias rebbe via use-livecode
>>> Gesendet: Mittwoch, 5. Mai 2021 10:31
>>> An: How to use LiveCode <use-livecode at lists.runrev.com>
>>> Cc: matthias_livecode_150811 at m-r-d.de
>>> Betreff: Re: notarizing DMG fails
>>> 
>>> Tiemo,
>>> 
>>> i think i found the solution. I tried here myself and did als get the error "this identity cannot be used for signing code" when using the Developer ID Installer certificate for signing the .pkg.
>>> According to Apple (see point 2)
>>> https://help.apple.com/xcode/mac/current/#/deve51ce7c3d
>>> 
>>> you have to use the tool productsign to sign the package installer. 
>>> 
>>> So the syntax is like this
>>> 
>>> productsign --sign <Your_Developer_Installer_ID> <Path_to_PKG> 
>>> <Path_where_the_signed_PKG_shall_be written>
>>> 
>>> Example
>>> productsign --sign "Developer ID Installer: Matthias Rebbe (xxxxxxxx)"  "/users/matthias/LC/builts/test/test.pkg" "/users/matthias/LC/builts/test/test_signed.pkg"
>>> 
>>> After successful signing i got this messages in Terminal
>>> 
>>> productsign: using timestamp authority for signature
>>> productsign: signing product with identity "Developer ID Installer: 
>>> Matthias Rebbe (xxxxxxxx)" from keychain 
>>> /Users/matthias/Library/Keychains/login.keychain-db
>>> productsign: adding certificate "Developer ID Certification Authority"
>>> productsign: adding certificate "Apple Root CA"
>>> productsign: Wrote signed product archive to 
>>> /users/matthias/LC/builts/test/test_signed.pkg
>>> 
>>> 
>>> Regards
>>> 
>>> -
>>> Matthias Rebbe
>>> Life Is Too Short For Boring Code
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> --
> Phil Davis
> 503-307-4363
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
use-livecode at lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
use-livecode at lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list