Notarizing question

Phil (OmnisList) phil at pgpotter.co.uk
Thu Sep 3 09:43:46 EDT 2020


Hi Andy,

Apple recommends code signing every file...
from the inside out.

I wrote a lib to quickly create a list of required files, and then 
create a script from that list...

Calling Refreshlist creates ilFileList, ie the list, using ReEntry to go 
into sub folders...

##### Method 'RefreshList' #####
No.    Local Variable    Type    Subtype    Init.Val/Calc Description
1    llDirList    List
No.    Method text
1
2    Do
FileOps.$filelist(kFileOpsIncludeFiles+kFileOpsIncludeDirectories,icStartDir,kFileOpsInfoFullName+
kFileOpsInfoIsDirectory) Returns llDirList
3
4    Do llDirList.$search($ref.isdirectory=kTrue,kTrue,kFalse,kTrue,kTrue)
5    Calculate ilFileList as llDirList
6    Do ilFileList.$remove(kListDeleteSelected)
7
8    Do llDirList.$remove(kListKeepSelected)
9    Do method ReEntry (llDirList)
10
11    Redraw (Refresh now) {ilFileList}
##### Method 'ReEntry' #####
No.    Parameter    Type    Subtype    Init.Val/Calc    Description
1    plDirList    List
No.    Local Variable    Type    Subtype    Init.Val/Calc Description
1    llDirList    List
No.    Method text
1
2    For plDirList.$line from 1 to plDirList.$linecount step 1
3
4    Do
FileOps.$filelist(kFileOpsIncludeFiles+kFileOpsIncludeDirectories,plDirList.fullname,kFileOpsInfo
FullName+kFileOpsInfoIsDirectory) Returns llDirList
5
6    Do llDirList.$search($ref.isdirectory=kFalse,kTrue,kFalse,kTrue,kTrue)
7    Do ilFileList.$merge(llDirList,kTrue,kTrue)
8
9    Do llDirList.$remove(kListDeleteSelected)
10    If llDirList.$linecount>0
11    Do method ReEntry (llDirList)
12    End If
13    End For

Then just create a script...
xattr at the beginning, and a codesign command per each line of the 
filelist.... in reverse order.

followed by any final things you want to do...
ie confirm the codesign
codesign -vvv --deep --strict 'appname'

in my script I use ditto to zip up the codesigned app ready to send for 
notarization, so put this into the script also. As per Das's comments 
really:

ditto -c -k --sequesterRsrc --keepParent 'appfile' 'zipfile'



regards
Phil Potter
Based in Chester in the UK.

On 03/09/2020 13:30, Andy Hilton wrote:
> Mike / Phil
>
> Ok yes so I did find that after running Mikes command I am now having to add a line for each individual file in the Lowe ranks to get code signed - did you say there *was* a recursive command for code signing ?
>
> I’ll be here forever otherwise !!
>
> Andy Hilton
> Totally Brilliant Software Inc
> Phone (US) : (863) 409 4870
> Phone (UK) : 0207 193 8582
> Web : www.totallybrilliant.com <http://www.totallybrilliant.com/>
> Helpdesk : http://totallybrilliant.kayako.com
> Email : andyh at totallybrilliant.com
>
>> On Sep 3, 2020, at 7:00 AM, Mike Matthews - Omnis <omnis at lineal.co.uk> wrote:
>>
>> I found some components were the problem, so I found the recursive command :). Then I redo the lot again.
>>
>> To remove Xtended Finder Attributes for v8 & v10 Dev & Client versions: (quick)
>>
>> sudo xattr -rc /Users/mike/Desktop/notarisation/SourceFiles/LinealSQLWorksClient.app
>>
>>
>> Mike
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> On 3 Sep 2020, at 11:49, Phil (OmnisList) via omnisdev-en <omnisdev-en at lists.omnis-dev.com <mailto:omnisdev-en at lists.omnis-dev.com>> wrote:
>>>
>>> Hi Mike,
>>>
>>> unless I am mistaken, he is not talking about the rest of the App., just the actual executable within the App...
>>>
>>> Sounds like he already has a script for the rest of the app structure...
>>>
>>> I recall an issue with our executable, a renamed omnis,  but cannot recall exactly what it was I did to correct it.
>>>
>>> Our solution may even of been, don't touch it, just codesign the stuff we have added or modified.
>>>
>>> When you say clear down, are you just meaning the --force on codesigning stuff again?
>>> Or something else?
>>>
>>> Out of curiosity, how did you recursively go inside all folders?
>>> I ended up created a library that generated a script file with a codesign line for each file in the App structure.
>>> Noting that apple say that the -r option is what you do at the end to finalise it?
>>>
>>> I subsequently reduced the script to things that actually change so that the notarization process was a bit quicker.
>>>
>>> I recall getting caught out with the scripts we ran in the installer created with packages, failing to codesign them as well caused the package not to be notarised.
>>>
>>> regards
>>> Phil Potter
>>> Based in Chester in the UK.
>>>
>>> On 03/09/2020 10:04, Mike Matthews - Omnis wrote:
>>>> I’ll send you my parts that fixes this problem.
>>>>
>>>> You have to clear down existing settings, recursively inside all folders, including xcomps.
>>>>
>>>> Mike
>>>>
>>>>
>>>>
>>>> On 3 Sep 2020, at 04:14, Andy Hilton <andyh at totallybrilliant.com<mailto:andyh at totallybrilliant.com>> wrote:
>>>>
>>>> All
>>>>
>>>> I make my app, and follow the scripts I have previously got (an edit of Bas’s scripts) - and all passes muster, it appears notarized and stapled….
>>>>
>>>> I make a dmg - and again following the scripts I notarize my dmg
>>>>
>>>> Except this time I get a failure and following the logs, it tells me that the signature on the ‘Omnis’ app itself (TheApp/Contents/MacOS/Omnis) is invalid
>>>>
>>>> Anyone know why that may be and what command I should add to the https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fprepare_build.sh&c=E,1,8lvYqp9L12JdP-VGZN3PJGIJrcHV_36g7SKOiOLzhqWi20ZaFK_N-laBsJQ1teicJpsHpEDuvYJ8KF2t8MeIXyJs5m-u_sF9uBFFRRfHraWizNiAtBf8MxtKfA,,&typo=1 <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fprepare_build.sh&c=E,1,8lvYqp9L12JdP-VGZN3PJGIJrcHV_36g7SKOiOLzhqWi20ZaFK_N-laBsJQ1teicJpsHpEDuvYJ8KF2t8MeIXyJs5m-u_sF9uBFFRRfHraWizNiAtBf8MxtKfA,,&typo=1> script to correct it ?
>>>>
>>>> I am currently trying :
>>>>
>>>> codesign -f -o runtime --entitlements /Users/andy/Downloads/codesign/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Andy Hilton (6UMDUSHJ58)" https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f%2f%2fmyAppName.app%2fContents%2fMacOS%2fOmnis&c=E,1,uXcHox7-gUuTj7Ndh2pp1XLHHVqH32-gv7dBFi4KWbHOYG1R38xQ-rA08lAq3HGms8wh9t6zi4ZHmeBq-JS_fUYb999bnD4ii3wokUf2vN8vPQXOVQ,,&typo=1 <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f%2f%2fmyAppName.app%2fContents%2fMacOS%2fOmnis&c=E,1,uXcHox7-gUuTj7Ndh2pp1XLHHVqH32-gv7dBFi4KWbHOYG1R38xQ-rA08lAq3HGms8wh9t6zi4ZHmeBq-JS_fUYb999bnD4ii3wokUf2vN8vPQXOVQ,,&typo=1>
>>>> codesign -f -o runtime --entitlements /Users/andy/Downloads/codesign/extended_entitlements.plist --timestamp --verbose -s "Developer ID Application: Andy Hilton (6UMDUSHJ58)" https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f%2f%2fmyAppName.app%2fContents%2fMacOS%2fOmnis&c=E,1,qVRLYdbvq7Mo0PhIfikpwqUgP9BJ9DOENexXhmvG-Bz6dlzW3TFK_iRHJ70GKEETjpwJ-31JOnt2Qot6Ay9oV18O3-ahLYCt-rtQpcFuMQc00v0FFRCk3VXz&typo=1 <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f%2f%2fmyAppName.app%2fContents%2fMacOS%2fOmnis&c=E,1,qVRLYdbvq7Mo0PhIfikpwqUgP9BJ9DOENexXhmvG-Bz6dlzW3TFK_iRHJ70GKEETjpwJ-31JOnt2Qot6Ay9oV18O3-ahLYCt-rtQpcFuMQc00v0FFRCk3VXz&typo=1>
>>>>
>>>> _____________________________________________________________
>>>> Manage your list subscriptions at https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.omnis-dev.com&c=E,1,zJDh8OXQcxBJZGUVWeaycTWr5-JsGNpRRdrWafucEpDCaM7QeRWdwk8ytdFc-qWPVAstieTzMRiNGFnuVwGjXwIP1VC2YvalpU1DpoOg0do,&typo=1 <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.omnis-dev.com&c=E,1,zJDh8OXQcxBJZGUVWeaycTWr5-JsGNpRRdrWafucEpDCaM7QeRWdwk8ytdFc-qWPVAstieTzMRiNGFnuVwGjXwIP1VC2YvalpU1DpoOg0do,&typo=1>
>>>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com <mailto:omnisdev-en at lists.omnis-dev.com>
>>> _____________________________________________________________
>>> Manage your list subscriptions at https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.omnis-dev.com&c=E,1,GLLiG3A4mmqRprDeJza2aPobDSHNxfBFBOrftnXHx8yP2gLXC4cBoSPMgGTykcTurR-XciBurMwMIBVmxVEV9VRyJjyny1UKlhLtQnBCB_zRIDRO&typo=1 <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.omnis-dev.com&c=E,1,GLLiG3A4mmqRprDeJza2aPobDSHNxfBFBOrftnXHx8yP2gLXC4cBoSPMgGTykcTurR-XciBurMwMIBVmxVEV9VRyJjyny1UKlhLtQnBCB_zRIDRO&typo=1>
>>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com <mailto:omnisdev-en at lists.omnis-dev.com>
>> _____________________________________________________________
>> Manage your list subscriptions at http://lists.omnis-dev.com <http://lists.omnis-dev.com/>
>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com <mailto:omnisdev-en at lists.omnis-dev.com>
> _____________________________________________________________
> Manage your list subscriptions at http://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com



More information about the omnisdev-en mailing list