AW: which entity has to be notarized/stapled?

toolbook at kestner.de toolbook at kestner.de
Thu May 6 06:37:26 EDT 2021


Hi Matthias,

your doc is wonderful helpful!
Just the matter is pretty complex for the first time, and there are quite a bunch of different approaches to go and I have to find the pieces for my approach. Therefore I wouldn't chop it into several docs.

Sometimes I overread some implicit informations you gave, like in this sentence: "To get our DMG and  the containing pkg or app  notarized by Apple we need to upload it to Apple."

For me it would be sometimes easier to read with some explicit informations, like:
" When you notarize a DMG, pkg, or bundle, everything inside is automatically unpacked and notarized as well. So you only need to upload the "top level" file for notarizing in a single pass, not the contents separately.
DMGs are like zip files -- notarization is not required to open them. However, their contents must be notarized in order to run. You can do one of two approaches:
Sign the app, put it in the DMG, sign the DMG, then upload the dmg to be notarized.
Zip up the app and notarize the app separately, then put it in a DMG and distribute the DMG without notarizing it" 

Which could be put at the beginning of chapter 7.

Or your explanation from your last post: " Stapling always staples the app, regardless if it is nested in one  container or more. When you send your app as  pkg, dmg or as pkg on dmg to apple, then you can staple those containers, because the stapling goes "through" and the stapling information is written to the .app inside the container."

Which could be added to chapter 7.5.

Your guide is perfect to go thru step by step, but I also want to understand, whats going on behind the scenes to know why I am doing what and what not.
But this is just my preference.

My 2 cents
Tiemo


-----Ursprüngliche Nachricht-----
Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag von matthias rebbe via use-livecode
Gesendet: Donnerstag, 6. Mai 2021 11:42
An: How to use LiveCode <use-livecode at lists.runrev.com>
Cc: matthias_livecode_150811 at m-r-d.de
Betreff: Re: which entity has to be notarized/stapled?

Tiemo,

i am wondering, if my lesson is not clear enough about this. What do you think?

I really thought, that it's clear that you just have to sent only the top level container to Apple and that the local stapling process goes through the container and writes the information to the app within the container.

Or is the lesson just to complex and i should divide it in multiple parts to make it easier to understand?

Matthias



> Am 06.05.2021 um 11:19 schrieb Tiemo via use-livecode <use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>>:
> 
> I found an answer to my question here https://developer.apple.com/forums/thread/650288 <https://developer.apple.com/forums/thread/650288> :
> 
> You will need to sign the .pkg installer with Developer ID and notarize it in order for it to install on macOS 10.14.5 and newer. The reason why it may have appeared to work locally was that the pkg wasn't quarantined.
> 
> The recommended QA procedure for installation is to start with a fresh macOS VM instance and use Air Drop or a web browser to download the file into it. Then double click on it like a user would. If it installs and runs properly, you can ship it.
> 
> DMGs are like zip files -- notarization is not required to open them. However, their contents must be notarized in order to run. You can do one of two approaches:
> 
>     Sign the app, put it in the DMG, sign the DMG, then upload the dmg to be notarized.
> 
>     Zip up the app and notarize the app separately, then put it in a 
> DMG and distribute the DMG without notarizing it
> 
> When you notarize a DMG, pkg, or bundle, everything inside is automatically unpacked and notarized as well. So you only need to upload the "top level" file for notarizing in a single pass, not the contents separately.
> 
> You can read a lot more here: 
> https://developer.apple.com/documentation/xcode/notarizing_macos_softw
> are_before_distribution 
> <https://developer.apple.com/documentation/xcode/notarizing_macos_soft
> ware_before_distribution>
> 
> Tiemo
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: use-livecode <use-livecode-bounces at lists.runrev.com 
> <mailto:use-livecode-bounces at lists.runrev.com>> Im Auftrag von Tiemo 
> via use-livecode
> Gesendet: Donnerstag, 6. Mai 2021 10:28
> An: 'How to use LiveCode' <use-livecode at lists.runrev.com 
> <mailto:use-livecode at lists.runrev.com>>
> Cc: toolbook at kestner.de <mailto:toolbook at kestner.de>
> Betreff: which entity has to be notarized/stapled?
> 
> One question is left for me about notarization and stapling. If you have an app, which is packaged and the package is wrapped in a DMG, which instance should be notarized and which stapled? All three, each one after the other, before proceeding to the next step, or only the outer shell, in this case the DMG?
> 
> Is the notarization/stapeling checked by the gatekeeper only once at installation time or at each start of the app?
> If I would only notarize and staple the outer DMG, is the notarization and stapling be automatically issued downwards to the content of the DMG down to the package and the app inside the package? Or on the other hand, would it interfere the process, if I would do notarization and stapling at each step?
> 
> Thanks for getting some insight in gatekeepers behaviour.
> 
> @Matthias: perhaps you want to add this information also in you doc in chapter 7 / 7.5 to clarify this question?
> 
> Thanks
> Tiemo
> 
> -----Ursprüngliche Nachricht-----
> Von: use-livecode <use-livecode-bounces at lists.runrev.com 
> <mailto:use-livecode-bounces at lists.runrev.com>> Im Auftrag von 
> matthias rebbe via use-livecode
> Gesendet: Donnerstag, 6. Mai 2021 01:18
> An: How to use LiveCode <use-livecode at lists.runrev.com 
> <mailto:use-livecode at lists.runrev.com>>
> Cc: matthias_livecode_150811 at m-r-d.de 
> <mailto:matthias_livecode_150811 at m-r-d.de>
> Betreff: Re: notarizing DMG fails - solved
> 
> Thanks Phil.
> 
> 
> @all
> I've updated the lesson at
> 
> https://lessons.livecode.com/m/4071/l/1122100-codesigning-and-notarizi
> ng-your-lc-standalone-for-distribution-outside-the-mac-appstore 
> <https://lessons.livecode.com/m/4071/l/1122100-codesigning-and-notariz
> ing-your-lc-standalone-for-distribution-outside-the-mac-appstore>
> 
> now and added detailed information about package installers. 
> So it now contains also information about how to create,sign and notarize package installers or package installers on dmg.
> 
> 
> It would be really awesome, if someone could check it. I needed to insert some additional steps and i really hope that i did not forget to adjust some references to internal steps.
> 
> So please let me if you find any errors, typos or wrong information.
> 
> Thanks.
> 
> Matthias
> 
> 
>> Am 05.05.2021 um 19:49 schrieb Phil Davis via use-livecode <use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>>:
>> 
>> Thank you Matthias! Your tools make my life SO much easier! You have 
>> done a great service for this community.
>> 
>> Phil Davis
>> 
>> 
>> On 5/5/21 2:20 AM, matthias rebbe via use-livecode wrote:
>>>> Am 05.05.2021 um 11:10 schrieb Tiemo via use-livecode <use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>>:
>>>> 
>>>> Thank you all for helping my lost soul in Apples notarizing nirvana
>>>> 
>>>> Tiemo
>>>> 
>>>> P.S.
>>>> Matthias, perhaps you want to add this in your great helpfile - without that it would have taken weeks for me!
>>>> 
>>> I am currently working on it. ;)
>>> First i will just add a note, but later, when i have more free time  i will enhance it to describe all more detailed.
>>> 
>>> The Helper Stack will also get an update to support package installers. But it takes some time.
>>> 
>>> 
>>> 
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: use-livecode <use-livecode-bounces at lists.runrev.com 
>>>> <mailto:use-livecode-bounces at lists.runrev.com>> Im Auftrag von 
>>>> matthias rebbe via use-livecode
>>>> Gesendet: Mittwoch, 5. Mai 2021 10:31
>>>> An: How to use LiveCode <use-livecode at lists.runrev.com 
>>>> <mailto:use-livecode at lists.runrev.com>>
>>>> Cc: matthias_livecode_150811 at m-r-d.de 
>>>> <mailto:matthias_livecode_150811 at m-r-d.de>
>>>> Betreff: Re: notarizing DMG fails
>>>> 
>>>> Tiemo,
>>>> 
>>>> i think i found the solution. I tried here myself and did als get the error "this identity cannot be used for signing code" when using the Developer ID Installer certificate for signing the .pkg.
>>>> According to Apple (see point 2)
>>>> https://help.apple.com/xcode/mac/current/#/deve51ce7c3d 
>>>> <https://help.apple.com/xcode/mac/current/#/deve51ce7c3d>
>>>> 
>>>> you have to use the tool productsign to sign the package installer. 
>>>> 
>>>> So the syntax is like this
>>>> 
>>>> productsign --sign <Your_Developer_Installer_ID> <Path_to_PKG> 
>>>> <Path_where_the_signed_PKG_shall_be written>
>>>> 
>>>> Example
>>>> productsign --sign "Developer ID Installer: Matthias Rebbe (xxxxxxxx)"  "/users/matthias/LC/builts/test/test.pkg" "/users/matthias/LC/builts/test/test_signed.pkg"
>>>> 
>>>> After successful signing i got this messages in Terminal
>>>> 
>>>> productsign: using timestamp authority for signature
>>>> productsign: signing product with identity "Developer ID Installer: 
>>>> Matthias Rebbe (xxxxxxxx)" from keychain 
>>>> /Users/matthias/Library/Keychains/login.keychain-db
>>>> productsign: adding certificate "Developer ID Certification Authority"
>>>> productsign: adding certificate "Apple Root CA"
>>>> productsign: Wrote signed product archive to 
>>>> /users/matthias/LC/builts/test/test_signed.pkg
>>>> 
>>>> 
>>>> Regards
>>>> 
>>>> -
>>>> Matthias Rebbe
>>>> Life Is Too Short For Boring Code
>>> 
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>
>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>> 
>> --
>> Phil Davis
>> 503-307-4363
>> 
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com <mailto:use-livecode at lists.runrev.com>
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode



-
Matthias Rebbe
Life Is Too Short For Boring Code

_______________________________________________
use-livecode mailing list
use-livecode at lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list