Breaking notarisation :)

Bastiaan Olij bastiaan.olij at
Mon Nov 18 20:59:15 EST 2019

So my problem turned out to have nothing to do with notarisation, that all worked fine including notarising the installer.

The problem turned out to be one with rights. We install JobBag under administration rights so any profile on the machine can use the application (we have clients who share desktops between users, often freelancers or parttimers).
As a result the root/admin user becomes the owner of the application. Some of the files in the app bundle only had rights set for the owner (i.e. 500 or 700) meaning other users couldn't access those files and this broke the app.
Making sure the rights of the app bundle were set correctly (555, 777 etc) so all users can access the application and then building the installer ensured it was deployed correctly.

We ran into this before and had scripted setting the rights of files but it seems that didn't cover some of these, I don't know if this changed in the new Studio deployment or if I had changed the rights of the old 10.0 bundle all that time ago and forgotten to add these files to my script.

So be warned. Even if you don't install under admin you might want to set these rights properly so other users can run the app but you may get into trouble if any of the other users try and update the installation.

From: omnisdev-en <omnisdev-en-bounces at> on behalf of Das Goravani <das at>
Sent: Tuesday, 19 November 2019 11:45 AM
To: OmnisDev List - English <omnisdev-en at>
Subject: Re: Breaking notarisation :)

Maybe you know this already but just in case… Apple notarizes dmg, pkg, and zip, that’s all I’ve seen, no mention of bit rock. Your installer has to be notarized too.. otherwise it will get the malware warning, so most of us, after notarizing the app, package it up in one of those, and notarize it too.. so that they will not get the malware warning on it.. maybe, if you sign it and package it in a dmg for shipping, maybe that will work.. Apple notarizes the first level inside those three when you do the package deal… just as an aside I say that.. I was told by them I didn’t need to notarize my app first, only sign it, like as per Omnis doc.. which leaves you off at a notarized app.. when in fact the first thing they’ll see is your installer.. not even sure what notarizing an app is for, as it’s opening installers that is the thing.. good luck though…

> On Nov 18, 2019, at 4:18 PM, Bastiaan Olij <bastiaan.olij at> wrote:
> Hi All,
> Seeing a few others have already gone down this route, we're now diving into this as well. We were manually deploying 10.1 to clients who jumped the gun and upgraded to Catalina or who needed one of the fixes in it holding off with building installers and upgraders until a few niddly bits were fixed.
> We're moving forward now and creating full 10.1 installers now to deploy to our clients but hit a snag.
> Thanks to Andrei's excellent instructions we were able to sign and notarise JobBag without to many hassles. As far as we can tell we have a properly signed and notaries application now.
> But packaging that up in a bit rock installer breaks it. I'm about to go investigate this more and starts scraping through the bit rock related forums for answers but just in case someone here has run into it.. I'm guessing it is either not installing all of the code signature stuff, doing something weird with access rights or simply adding stuff to the installation like uninstall info. Anyone else using bit rock and already went through figuring this one out?
> Kindest Regards,
> Bastiaan Olij
> Head of development - Instinct Systems: The JobBag People
> Ground Floor, 48 Chandos Street
> St Leonards NSW 2065
> Australia
> Phone: +61 2 8115 8000
> Direct: +61 2 8115 8003
> Mobile: +61 4 321 44833
> bastiaan.olij at<mailto:bastiaan.olij at>
> _____________________________________________________________
> Manage your list subscriptions at
> Start a new message -> mailto:omnisdev-en at

Manage your list subscriptions at
Start a new message -> mailto:omnisdev-en at

More information about the omnisdev-en mailing list