Notarization & hardening for macOS non-App Store Apps?

kee nethery kee.nethery at elloco.com
Thu May 9 20:49:10 EDT 2019



> On May 9, 2019, at 5:42 PM, Monte Goulding via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> Looks like the hardened runtime needs —options=runtime

Which what terminal command would —options=runtime be used?

From what I can see, the only place to enable hardened runtime is with projects in Xcode and … this is not a project in Xcode, right?

> 
> https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc <https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc>
> 
> For the others are you using —force —deep to ensure you replace any existing code signatures?

yes. Learning lots about codesign and xattr and spctl but am really just a code monkey pressing keys hoping for Shakespeare.

Kee


> 
>> On 10 May 2019, at 10:29 am, kee nethery via use-livecode <use-livecode at lists.runrev.com> wrote:
>> 
>> Help.
>> 
>> I volunteered to research this topic and present on it. I’ve documented the process to upload to the App Store, figured this would be less steps and I could figure it out and present on it at the LiveCode conference (as well as document it on the lessons web site).
>> 
>> There are two issues I’m running into and I could sorely use some help if any of you have gone through this notarization process on a macOS app. 
>> 
>> Kee Nethery
>> 
>> ——— TLDR ——— 
>> 
>> The developer ID certificate is the same one used to sign an app on the AppStore and it is not expired so … I’m really stumped as to why it is not signed with a valid Developer ID.
>> 
>> I set the —timestamp flag in the codesign command so it should have gotten a timestamp. Again, WTF?
>> 
>> And once those get resolved, without using Xcode, I have no idea how to “have the hardened runtime enabled”.
>> 
>> In specific I get the following error report.
>> 
>> 
>> 
>> 
>> {
>> "logFormatVersion": 1,
>> "jobId": "44f6d3f6-520b-4993-89af-3290ae2709c5",
>> "status": "Invalid",
>> "statusSummary": "Archive contains critical validation errors",
>> "statusCode": 4000,
>> "archiveFilename": "99_Bottles.pkg",
>> "uploadDate": "2019-05-08T00:41:02Z",
>> "sha256": "8f51bb68f65c36beed94c717d1bb49a146e927fe591aa4f3755aba2793bab7b3",
>> "ticketContents": null,
>> "issues": [
>>   {
>>     "severity": "error",
>>     "code": null,
>>     "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/revsecurity.dylib",
>>     "message": "The binary is not signed with a valid Developer ID certificate.",
>>     "docUrl": null,
>>     "architecture": "x86_64"
>>   },
>>   {
>>     "severity": "error",
>>     "code": null,
>>     "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/revsecurity.dylib",
>>     "message": "The signature does not include a secure timestamp.",
>>     "docUrl": null,
>>     "architecture": "x86_64"
>>   },
>>   {
>>     "severity": "error",
>>     "code": null,
>>     "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
>>     "message": "The binary is not signed with a valid Developer ID certificate.",
>>     "docUrl": null,
>>     "architecture": "x86_64"
>>   },
>>   {
>>     "severity": "error",
>>     "code": null,
>>     "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
>>     "message": "The signature does not include a secure timestamp.",
>>     "docUrl": null,
>>     "architecture": "x86_64"
>>   },
>>   {
>>     "severity": "error",
>>     "code": null,
>>     "path": "99_Bottles.pkg/com..99bottles.pkg Contents/Payload/99 Bottles.app/Contents/MacOS/99 Bottles",
>>     "message": "The executable does not have the hardened runtime enabled.",
>>     "docUrl": null,
>>     "architecture": "x86_64"
>>   }
>> ]
>> }
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list