Notarisation for dummies

DanH

Should I be able to codesign and notarize an app - as in a file with a .app extension?

Terminal says no. I want to supply a standalone app without an installer. It's only use is for downloading sample content.

Any info welcome.

PS - I'm happily codesigning and notarizing .pkgs...

d.healey

@danh You code sign pkgs?

Lindon

@d-healey said in Notarisation for dummies:

@danh You code sign pkgs?

yeah - you should.

DanH

@d-healey I do, yes, but does anyone know about .app's? Just pinging an app to users can result in the 'OSX cannot check it for malicious content' message.

d.healey

@lindon Oh it's been so long since I did it I'm misremembering the process

Lindon

@danh - what are apple telling you when you try to notarize the .app ???

DanH

@lindon that it's not codesigned... Can't get the first part to work basically

Please let me know if any of the below has any clues for you

{
  "logFormatVersion": 1,
  "jobId": "e7ddde08-d7e4-4a35-af9d-ca55954eee03",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "TEST-SAMPLES-DOWNLOADER_signed.pkg",
  "uploadDate": "2022-02-01T13:10:53Z",
  "sha256": "4282dcf278ae44b528e64083b6f4aeb22a59da516e60f725013b240a33f3af72",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "TEST-SAMPLES-DOWNLOADER_signed.pkg/TEST-SAMPLES-DOWNLOADER_Standalone.pkg Contents/Payload/Applications/DANH/TEST-SAMPLES-DOWNLOADER.app/Contents/MacOS/TEST-SAMPLES-DOWNLOADER",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "TEST-SAMPLES-DOWNLOADER_signed.pkg/TEST-SAMPLES-DOWNLOADER_Standalone.pkg Contents/Payload/Applications/DANH/TEST-SAMPLES-DOWNLOADER.app/Contents/MacOS/TEST-SAMPLES-DOWNLOADER",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "TEST-SAMPLES-DOWNLOADER_signed.pkg/TEST-SAMPLES-DOWNLOADER_Standalone.pkg Contents/Payload/Applications/DANH/TEST-SAMPLES-DOWNLOADER.app/Contents/MacOS/TEST-SAMPLES-DOWNLOADER",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

I should also add that I tried using @d-healey 's export app which should codesign and notarize the .pkg that it builds but I got this notarization error

Lindon

@danh well I think all the info. you need is right there,

The pkg isnt signed
theres no timestamp on it

• its not hardende runtime...

DanH

@lindon Thanks, yep, I must have been thinking it was the standalone that wasn't signed rather than the package.

I guess in any case I'm looking to sign and notarize the app directly, in app form, so not in a .pkg.

yall

@Lindon little question to understand something. I successfully notarized my pkgs. I then created a zip archive with inside, the windows installer and the pkg. I don't need to notarize the zip? Or just sign it?

d.healey

@yall said in Notarisation for dummies:

then created a zip archive with inside, the windows installer and the pkg

Why? Just give the user individual links. Most users only use one OS and you are wasting their bandwidth and yours by making them download things they probably don't need.

yall

@d-healey it allows me to avoid looking for links, if a client later wants a windows version for example, I should send them back. while the I zip it has everything, and wetransfert. faster for me.

Lindon

@yall said in Notarisation for dummies:

@d-healey it allows me to avoid looking for links, if a client later wants a windows version for example, I should send them back. while the I zip it has everything, and wetransfert. faster for me.

--what Dave said-- Not sure what happens to a zip with a windows binary in it when its opened on a Mac - seems a waste of end user band width...

yall

@lindon good ok I will give 2 links. I would do this for the polar bears! lol. that said, I notarized my zip contant exd and pkg successfully. but the stapling does not work and the test is rejected so I would only provide the pkg and exe

Lindon

@yall -- odd I've never had staple process failures...

yall

@lindon the terminal tells me that it cannot staple to a zip

d.healey

@yall said in Notarisation for dummies:

@lindon the terminal tells me that it cannot staple to a zip

https://www.kvraudio.com/forum/viewtopic.php?t=531663

If you are distributing your plugins with a simple ZIP file, you still need to notarize that (you are actually notarizing the content of the ZIP). The problem here is that you can't staple a ZIP file

trillbilly

@Lindon Im attempting to run auval.

I can get it to scan for all AU (which it only displays Apple AUs), however, I cant seem to get it to scan a particular AU or even scan for more than just Apple items.

What is the answer Oh Wise Apple Lorde?

Lindon

@trillbilly I think like all Apple products(Logic I'm looking at you..) that it looks for the plugin id first and if there are two with the same ID it will only load (find) the first one.. so first step make sure your plugin has a unique ID, then make sure its in the correct AU folder...

this: "or even scan for more than just Apple items" - make me suspect you are not putting your plugins in the correct folder...

trillbilly

@lindon I just assumed it was the regular "components" folder. I will do auval with location and find where it is pulling the apple AUs from and direct mine there as well.

When you say unique ID, I assume you mean unique as in per developer? Or do they really want you to go through all AUs on the system and find a unique code...

I will be in studio in a few hours, I'm on dad duty at the moment.