How to Notarize Pre BigSur and Xcode 12
Das Goravani
goravanis at gmail.com
Mon Sep 27 18:35:35 UTC 2021
I thought maybe it’s time to post this again. I’ve just gone through and updated this.
These notes work if you are using Xcode 11 on Catalina, and I imagine they work with 10 on Mojave, or 11 on Mojave.. but they do not work on BigSur with Xcode 12.
You need to download and install Xcode and it's online tools.. each version of Xcode has an accompanying "Command Line Tools" download that you need to get and install. The developers forum has the old versions on it.
https://developer.apple.com/download/all/?q=for%20Xcode <https://developer.apple.com/download/all/?q=for%20Xcode>. You'll have to sign in and scroll a lot to find the version of Xcode that you are looking for.. with Catalina use 11.4 or such.. the main file Xcode and also it's command line tools. You need both.
To notarize, you need to be an Apple Developer. If you are not one, then "ouch", because that I think is an expensive proposition to go through. You need your developer ID and a password you can get from the developer site.
https://appleid.apple.com/#!&page=signin <https://appleid.apple.com/#!&page=signin>
These notes assume you are using a DMG as your final package as I do presently. You can also do a pkg package, but the code is slightly different. Basically the difference is that with PKG you use your INSTALLER code signing credentials.. instead of Application Code signing credentials.. where they are used in relation to your package. And instead of command code sign you use command product sign.
You need to sign on to Apple Developer and quickly (it's easy) get a password.. do that.. it looks like a credit card number.. you need it for a few of the commands herein.. you can use an old one.. you can use any app specific password you have gotten off the developer site.. I've reused one over and over. There is a trick whereby you can paste them into keychain and use them from there, but that hasn't worked for me so I paste them onto these commands straight and that works.
Get your Apple Developer ID ready you need it in a number of the commands.
You need to replace my paths herein with your own paths. Note that you can drag a file onto terminal and it will type the path out for you.. you can then copy and paste those into a document to get your commands ready.. prepare a document with your commands in it.. you will use this next time you need to notarize.. you can reuse the same paths which is easier.
All of these commands go fast except #3 and the notarization command which take a few minutes to upload and then about 10-20 minutes while you wait for word from Apple. They email you one way or the other. The overall flow of this process is that you sign the heck out of your Omnis app that has your library inside it in first run install.. you cannot add things later, so you have to have your Omnis ready to go fully before you notarize it.
We sign it, we then prepare our final package DMG PKG or ZIP and we sign it and notarize it and staple it,.. so here we go..
Oh yes, you need two documents to be sitting on your computer and you reference them in these commands.. standard entitlements and extended entitlements.. I'll paste their contents at the end of this so you make your two documents.. note how they are ref'd herein and name them those names.. When you're done you have an installer that is notarized and stapled as an entity, but inside it is an Omnis that got notarized even though it is inside your final pkg or dmg.. you will be good to go.. you will run on Catalina forward.
On the difference between my way herein and the original Omnis tech note on Notarization: First, I don't submit the Omnis app first in a zip file.. this is because Notarization by Apple goes one level deep INTO either pkg or dmg or zip.. it notarizes what is at root level in these icons. So you DO NOT need to notarize Omnis on it's own first. I and some other developers on here do this and it works. The other change is that I do not run Omnis's first signing command.. I forget what it's for.. maybe oBrowser if I remember right.. it's just not needed, the first signing step that Omnis has you do. The 3rd step here does it all.
1. Remove remote debug library from startup if you don't use it as it installs a menu in your app, make sure your own files are in First Run Install Startup folder, make sure the xcomps are in place if any.. you have to ready your Omnis for you cannot change it after you notarize or the notarization gets broken.
We're going to code sign the Omnis application now.. we sign it a few ways..
Note that on paths, you can either write them the normal way and put them in quotes, or you can use slashes before spaces to escape them.. if you drag your app onto Terminal it will type the path for you with escape slashes.. both ways work.
Run these 5 commands to sign the app:
The first command gets rid of Finder Information and Detritus.. always do it first for a clean start. Replace my paths with your paths.
1. xattr -cr /Users/Das\'s/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 5.4.app
Note that in this next command the first path you encounter is to "extended_entitlements.plist.. you have to have this on your machine and you need it's path as shown here. The next path in this command you will have to type to get it right. You can get the first part of it by dragging, but the remainder of it you will type. Note that you need your "Developer ID Application: Name and Apple ID.. put it in parenthesis as shown.
2. codesign -f -o runtime --entitlements /Users/Das\'s/Desktop/Deploying/extended_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6ZXXXXX7RU)" /Users/Das\'s/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 5.4.app/Contents/Resources/remotedebug/node
Note that what I call "Jyotish Studio 5.4.app" here in is really my prepared Omnis app icon. It's the same throughout these notes.
3. codesign -f --deep -o runtime --entitlements /Users/Das\'s/Desktop/Deploying/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6ZXXXXXXRU)" /Users/Das\'s/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 5.4.app
4. codesign -f -o runtime --entitlements /Users/Das\'s/Desktop/Deploying/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6ZxxXXX7RU)" /Users/Das\'s/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 5.4.app
5. codesign -vvv --deep --strict /Users/Das\'s/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 5.4.app
This is where Omnis has a section for making a zip file with just Omnis (your app) in it.. I cut that all out here.
Now make the final package in DropDMG or Packages or what have you. Now we code sign it, notarize and staple it
Note that in step 9 I use ID Application.. it's ID Installer if you use a pkg file
9. codesign -f --timestamp --verbose -s "Developer ID Application: Das Goravani (K6XXXXX7RU)" "/Users/Das's/Desktop/Deploying/build/Jyotish Studio 5.4.dmg"
10. xcrun altool --notarize-app --primary-bundle-id net.omnis.OmnisStudio --file /Users/Das\'s/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 5.4.dmg --username das at goravani.com <mailto:das at goravani.com> --password syfe-xxxx-xxxx-wvug
11. stapler staple /Users/Das\'s/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 5.4.dmg
You're done.
Test for notarization (optional):
spctl -a -t open --context context:primary-signature -v PATH TO YOUR FINAL PACKAGE THAT YOU JUST NOTARIZED AND STAPLED
This last command below is for checking on the status of a notarization attempt.. if they say NO GO they will give you a long number you put into this command and you can see an URL with info about your order.. debugging help is there.
xcrun altool --notarization-info e8df4d9c-848e-474e-8683-c42341e7586e -u Das Goravani (K6ZXXXX7RU)
You're good to go.
This is the contents of a file you must name
standard_entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd <http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.personal-information.location</key>
<true/>
<key>com.apple.security.personal-information.addressbook</key>
<true/>
<key>com.apple.security.personal-information.calendars</key>
<true/>
<key>com.apple.security.personal-information.photos-library</key>
<true/>
</dict>
</plist>
This following now is the contents of a file you must name
extended_entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd <http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.personal-information.location</key>
<true/>
<key>com.apple.security.personal-information.addressbook</key>
<true/>
<key>com.apple.security.personal-information.calendars</key>
<true/>
<key>com.apple.security.personal-information.photos-library</key>
<true/>
<key>com.apple.security.cs.debugger</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>
More information about the omnisdev-en
mailing list