which entity has to be notarized/stapled?

toolbook at kestner.de toolbook at kestner.de
Thu May 6 04:28:12 EDT 2021 

One question is left for me about notarization and stapling. If you have an app, which is packaged and the package is wrapped in a DMG, which instance should be notarized and which stapled? All three, each one after the other, before proceeding to the next step, or only the outer shell, in this case the DMG?

Is the notarization/stapeling checked by the gatekeeper only once at installation time or at each start of the app?
If I would only notarize and staple the outer DMG, is the notarization and stapling be automatically issued downwards to the content of the DMG down to the package and the app inside the package? Or on the other hand, would it interfere the process, if I would do notarization and stapling at each step?

Thanks for getting some insight in gatekeepers behaviour.

@Matthias: perhaps you want to add this information also in you doc in chapter 7 / 7.5 to clarify this question?

Thanks
Tiemo

-----Ursprüngliche Nachricht-----
Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag von matthias rebbe via use-livecode
Gesendet: Donnerstag, 6. Mai 2021 01:18
An: How to use LiveCode <use-livecode at lists.runrev.com>
Cc: matthias_livecode_150811 at m-r-d.de
Betreff: Re: notarizing DMG fails - solved

Thanks Phil.


@all
I've updated the lesson at

https://lessons.livecode.com/m/4071/l/1122100-codesigning-and-notarizing-your-lc-standalone-for-distribution-outside-the-mac-appstore

now and added detailed information about package installers. 
So it now contains also information about how to create,sign and notarize package installers or package installers on dmg.


It would be really awesome, if someone could check it. I needed to insert some additional steps and i really hope that i did not forget to adjust some references to internal steps.

So please let me if you find any errors, typos or wrong information.

Thanks.

Matthias


> Am 05.05.2021 um 19:49 schrieb Phil Davis via use-livecode <use-livecode at lists.runrev.com>:
> 
> Thank you Matthias! Your tools make my life SO much easier! You have 
> done a great service for this community.
> 
> Phil Davis
> 
> 
> On 5/5/21 2:20 AM, matthias rebbe via use-livecode wrote:
>>> Am 05.05.2021 um 11:10 schrieb Tiemo via use-livecode <use-livecode at lists.runrev.com>:
>>> 
>>> Thank you all for helping my lost soul in Apples notarizing nirvana
>>> 
>>> Tiemo
>>> 
>>> P.S.
>>> Matthias, perhaps you want to add this in your great helpfile - without that it would have taken weeks for me!
>>> 
>> I am currently working on it. ;)
>> First i will just add a note, but later, when i have more free time  i will enhance it to describe all more detailed.
>> 
>> The Helper Stack will also get an update to support package installers. But it takes some time.
>> 
>> 
>> 
>>> -----Ursprüngliche Nachricht-----
>>> Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag 
>>> von matthias rebbe via use-livecode
>>> Gesendet: Mittwoch, 5. Mai 2021 10:31
>>> An: How to use LiveCode <use-livecode at lists.runrev.com>
>>> Cc: matthias_livecode_150811 at m-r-d.de
>>> Betreff: Re: notarizing DMG fails
>>> 
>>> Tiemo,
>>> 
>>> i think i found the solution. I tried here myself and did als get the error "this identity cannot be used for signing code" when using the Developer ID Installer certificate for signing the .pkg.
>>> According to Apple (see point 2)
>>> https://help.apple.com/xcode/mac/current/#/deve51ce7c3d
>>> 
>>> you have to use the tool productsign to sign the package installer. 
>>> 
>>> So the syntax is like this
>>> 
>>> productsign --sign <Your_Developer_Installer_ID> <Path_to_PKG>  
>>> <Path_where_the_signed_PKG_shall_be written>
>>> 
>>> Example
>>> productsign --sign "Developer ID Installer: Matthias Rebbe (xxxxxxxx)"  "/users/matthias/LC/builts/test/test.pkg" "/users/matthias/LC/builts/test/test_signed.pkg"
>>> 
>>> After successful signing i got this messages in Terminal
>>> 
>>> productsign: using timestamp authority for signature
>>> productsign: signing product with identity "Developer ID Installer: 
>>> Matthias Rebbe (xxxxxxxx)" from keychain 
>>> /Users/matthias/Library/Keychains/login.keychain-db
>>> productsign: adding certificate "Developer ID Certification Authority"
>>> productsign: adding certificate "Apple Root CA"
>>> productsign: Wrote signed product archive to 
>>> /users/matthias/LC/builts/test/test_signed.pkg
>>> 
>>> 
>>> Regards
>>> 
>>> -
>>> Matthias Rebbe
>>> Life Is Too Short For Boring Code
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> --
> Phil Davis
> 503-307-4363
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
use-livecode at lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list