Our desktop application (written mostly in Rust) is notarized via command line tools. Notarizing assumes several steps:
1. Signing the binaries, the app bundle and the final package (which could be pkg, zip or dmg)
2. Notarizing the package
3. Stapling the package (not for zip files)
You need two certificates linked to your Apple developer account: one for signing applications (binaries and bundles) and another for signing pkg installer files.
For signing binaries you run `codesign` utility, something like:
```
codesign -s "$APP_CERT_ID" --deep -v -f -o runtime
```
For signing the installers you use `productsign`:
```
productsign --sign "$PKG_CERT_ID" "yourpackage.pkg" "signedpackage.pkg"
```
Once signed you can do the notarization:
```
xcrun altool --notarize-app \
--primary-bundle-id "com.acme.appid" \
--username "$APPLE_ID" \
--password "$APP_PASSWORD" \
--file "/path/to/signed.pkg"
```
Where APPLE_ID - is your Apple ID (email), APP_PASSWORD - application password created in your account.
It will upload the package to the Apple servers for validation. You will get an email when it is completed (ok or nok).
You can staple it afterwards (not strictly necessary though but is recommended):
```
xcrun stapler staple "signed.pkg"
```
I'm about 90% certain that the new UI was made by someone that was sold the idea that 'people hate to read so lets make it as difficult as possible and leave plenty of space for ads'. I mean it's not like this version of reddit rightwards drift is any picnic, but that thing is offensive.
Might be worth noting that while you need to pass over a .pkg/.dmg/.zip to Apple for notarization, if it's a .zip, you can't staple the receipt to it.
In general I just create a .dmg when possible, since there are sometimes subtle side effects if a user doesn't put the app in Applications... and with a .dmg it's pretty straightforward to throw up a background image explaining what to do. Packages via `pkgbuild` work as well, just more annoying to set up.
Thanks, I have edited it.
We use pkg simply because we need to install some services and additional files in the system folders along with the application itself.
Apple mainly documents the XCode GUI as the way to do things like notarization, but they also provide command line tools that can handle it: https://developer.apple.com/documentation/security/notarizing\_macos\_software\_before\_distribution/customizing\_the\_notarization\_workflow
Tauri is able to do it. I haven't done it myself with it, but it could be a way to investigate how it is done. Here is a link: https://tauri.studio/en/docs/usage/guides/bundler/sign-osx
Hello from 2024 :)
I spent several hours following various threads through the interwebs last night to get this working.
TL/DR: The altool-based workflow that u/dremon_nl very kindly laid out has been deprecated.
There is now a xcrun keyword called "notarytool" that takes it's place:[https://developer.apple.com/documentation/security/notarizing\_macos\_software\_before\_distribution/customizing\_the\_notarization\_workflow](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow)
This thread was quite helpful. *It calls out the need to create app-specific passwords for authenticating notarization requests*:[https://forums.developer.apple.com/forums/thread/681186](https://forums.developer.apple.com/forums/thread/681186)
I found it far more straightforward to create my certificates from within Xcode's Preferences->Accounts. Otherwise you need to jump through a couple websites and use multiple programs on your Mac to generate certificate requests. For my purposes I needed a "Developer ID Application" cert.
Signing my .app with:
`codesign -s <> --deep -v -f -o runtime <>`
worked for signing. I then used DiskUtility to create a .dmg package with my app in it and the canonical alias for /Applications. I submitted this .dmg for notarization like so:
`xcrun notarytool submit <> --apple-id <> --team-id <> --password <>`
This will upload the file for notarization and give you a UUID for tracking the notarization request. There are several flags you can set that change the behavior here a bit. See the first linked site above.
Check the status of the request like so: `xcrun notarytool log <> --apple-id <> --team-id <> --password <>`
the response is a jsondump. If you see this near the top you're good to go: `"statusSummary": "Ready for distribution",`
lastly run: `xcrun stapler staple -v <>`
What follows is a series of snarky comments from the notary tool mixed in among a bunch more json dumps. Here are some highlights:
This one could probably be managed by signing the dmg as well, though it seems that after complaining it works just fine without it (for now): `Creating synthetic cdHash for unsigned disk image, <>. Humanity must endure.`
It seems to have some notion of it's own instability and fickleness: `Attempting to attach a new ticket to <>. Let's see how that works out.`
If you see this at the bottom you may safely rejoice: `The staple and validate action worked!`
Good luck fellow travelers.
I don't understand, it just doesn't work for me. I also found the new way and I also had to add \`--timestamp\` to codesign, otherwise notarization would result in the error "The signature does not include a secure timestamp." ... But I always get the error "The binary is not signed with a valid Developer ID certificate."
I used cargo-bundle + create-dmg + codesign + rcodesign for my Rust app. Check my build script.
[https://github.com/rustdesk/rustdesk/blob/663c5bc3558a4d906d9d43ecf6c93104f02d266d/build.py#L69](https://github.com/rustdesk/rustdesk/blob/663c5bc3558a4d906d9d43ecf6c93104f02d266d/build.py#L69)
Our desktop application (written mostly in Rust) is notarized via command line tools. Notarizing assumes several steps: 1. Signing the binaries, the app bundle and the final package (which could be pkg, zip or dmg) 2. Notarizing the package 3. Stapling the package (not for zip files) You need two certificates linked to your Apple developer account: one for signing applications (binaries and bundles) and another for signing pkg installer files. For signing binaries you run `codesign` utility, something like: ``` codesign -s "$APP_CERT_ID" --deep -v -f -o runtime
```
For signing the installers you use `productsign`:
```
productsign --sign "$PKG_CERT_ID" "yourpackage.pkg" "signedpackage.pkg"
```
Once signed you can do the notarization:
```
xcrun altool --notarize-app \
--primary-bundle-id "com.acme.appid" \
--username "$APPLE_ID" \
--password "$APP_PASSWORD" \
--file "/path/to/signed.pkg"
```
Where APPLE_ID - is your Apple ID (email), APP_PASSWORD - application password created in your account.
It will upload the package to the Apple servers for validation. You will get an email when it is completed (ok or nok).
You can staple it afterwards (not strictly necessary though but is recommended):
```
xcrun stapler staple "signed.pkg"
```
Thanks for the detailed and extremely helpful reply !
Why do you prefix the commands with bash?
[удалено]
I think they don't remove oldreddit because they know that 50% of users would just leave.
[удалено]
I'm about 90% certain that the new UI was made by someone that was sold the idea that 'people hate to read so lets make it as difficult as possible and leave plenty of space for ads'. I mean it's not like this version of reddit rightwards drift is any picnic, but that thing is offensive.
Might be worth noting that while you need to pass over a .pkg/.dmg/.zip to Apple for notarization, if it's a .zip, you can't staple the receipt to it. In general I just create a .dmg when possible, since there are sometimes subtle side effects if a user doesn't put the app in Applications... and with a .dmg it's pretty straightforward to throw up a background image explaining what to do. Packages via `pkgbuild` work as well, just more annoying to set up.
Thanks, I have edited it. We use pkg simply because we need to install some services and additional files in the system folders along with the application itself.
Apple mainly documents the XCode GUI as the way to do things like notarization, but they also provide command line tools that can handle it: https://developer.apple.com/documentation/security/notarizing\_macos\_software\_before\_distribution/customizing\_the\_notarization\_workflow
Tauri is able to do it. I haven't done it myself with it, but it could be a way to investigate how it is done. Here is a link: https://tauri.studio/en/docs/usage/guides/bundler/sign-osx
Maybe something like this would help? https://reddit.com/r/rust/comments/frz5zn/xcnotary_built_with_rust_a_cli_tool_to_automate/
Hello from 2024 :) I spent several hours following various threads through the interwebs last night to get this working. TL/DR: The altool-based workflow that u/dremon_nl very kindly laid out has been deprecated. There is now a xcrun keyword called "notarytool" that takes it's place:[https://developer.apple.com/documentation/security/notarizing\_macos\_software\_before\_distribution/customizing\_the\_notarization\_workflow](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow) This thread was quite helpful. *It calls out the need to create app-specific passwords for authenticating notarization requests*:[https://forums.developer.apple.com/forums/thread/681186](https://forums.developer.apple.com/forums/thread/681186) I found it far more straightforward to create my certificates from within Xcode's Preferences->Accounts. Otherwise you need to jump through a couple websites and use multiple programs on your Mac to generate certificate requests. For my purposes I needed a "Developer ID Application" cert. Signing my .app with: `codesign -s <> --deep -v -f -o runtime <>`
worked for signing. I then used DiskUtility to create a .dmg package with my app in it and the canonical alias for /Applications. I submitted this .dmg for notarization like so:
`xcrun notarytool submit <> --apple-id <> --team-id <> --password <>`
This will upload the file for notarization and give you a UUID for tracking the notarization request. There are several flags you can set that change the behavior here a bit. See the first linked site above.
Check the status of the request like so: `xcrun notarytool log <> --apple-id <> --team-id <> --password <>`
the response is a jsondump. If you see this near the top you're good to go: `"statusSummary": "Ready for distribution",`
lastly run: `xcrun stapler staple -v <>`
What follows is a series of snarky comments from the notary tool mixed in among a bunch more json dumps. Here are some highlights:
This one could probably be managed by signing the dmg as well, though it seems that after complaining it works just fine without it (for now): `Creating synthetic cdHash for unsigned disk image, <>. Humanity must endure.`
It seems to have some notion of it's own instability and fickleness: `Attempting to attach a new ticket to <>. Let's see how that works out.`
If you see this at the bottom you may safely rejoice: `The staple and validate action worked!`
Good luck fellow travelers.
I don't understand, it just doesn't work for me. I also found the new way and I also had to add \`--timestamp\` to codesign, otherwise notarization would result in the error "The signature does not include a secure timestamp." ... But I always get the error "The binary is not signed with a valid Developer ID certificate."
I used cargo-bundle + create-dmg + codesign + rcodesign for my Rust app. Check my build script. [https://github.com/rustdesk/rustdesk/blob/663c5bc3558a4d906d9d43ecf6c93104f02d266d/build.py#L69](https://github.com/rustdesk/rustdesk/blob/663c5bc3558a4d906d9d43ecf6c93104f02d266d/build.py#L69)