How to do Notarization Now Nov 1 23 Sonoma

Das Goravani goravanis at gmail.com
Wed Nov 1 13:35:34 UTC 2023 


I gathered from others, with their help, how to do notarization now that it has switched from altool to notarytool.  I have not done this yet.  But these instructions should work. 

First, need to store credentials into your keychain

This is the command that stores your credentials into your keychain, you have to do this on each machine you notarize on. 

xcrun notarytool store-credentials "KEYCHAIN_ITEM_NAME" --apple-id “YOUR_APPLE_ID" --team-id “YOUR_TEAM_ID" --password “YOUR_PASSWORD”

KEYCHAIN_ITEM_NAME is just a name you make up, this command uses that name to name an entry that will go into your keychain, and you use this name later in the notarization command. 

The team ID is part of your Apple Developer membership details and looks like this for example:   K6Z7T5H7RU
Log into your account at https://developer.apple.com/ , click "Account", and it will take you through sign in, and click on Membership Details (the centre icon just above the Program resources panel) and you will see your TEAM ID.

YOUR_PASSWORD is NOT your apple id password. It is the APP SPECIFIC PASSWORD you can create on Apple’s Developer Website online. The following page tells you how to do that (if you have not done that before): https://support.apple.com/en-gb/102654.  It’s very simple to make an APP SPECIFIC PASSWORD


Now you can code sign your app, see below for full instructions on how to code sign. 

make your DMG or PKG or ZIP and 

run the notarization command, 3 examples are below:

xcrun notarytool submit "path_to_dmg" --keychain-profile "KEYCHAIN_ITEM_NAME"  --wait

xcrun notarytool submit /Users/Shared/notarisation_v11/FinishedFolder/LinealSQLWorksDev_v11.001b.dmg --keychain-profile "KEYCHAIN_ITEM_NAME" --wait

xcrun notarytool submit --wait --keychain-profile "KEYCHAIN_ITEM_NAME” “PATH_TO_DMG"

To verify errors, use this command, substituting the ref code with your one, and substituting keychain profile name:

xcrun notarytool log 0962be1f-c094-493a-96be-xxxxxxxxxx --keychain-profile "KEYCHAIN_ITEM_NAME"

After you notarize you have to staple 

xcrun stapler staple "path"

Test for notarization:

spctl -a -t install -vv "path"

This is assuming you have codesigned your app...

This next command should be run before you try to code sign. This command removes attributes from the Omnis app you are notarizing. 

xattr -c -r "path to your Omnis app"

This is an example of a code signing command. 

Note that "~/Documents/Work/Standard_entitlements.plist " is the path to your standard entitlements plist which is a text file containing entitlement instructions. The contents of this plist is found at the end of this post. 

codesign -o runtime --entitlements ~/Documents/Work/Standard_entitlements.plist --timestamp=http://timestamp.apple.com/ts01 --verbose --force -s "path/to/your/file"

Do this for every file inside the Omnis app tree or "Contents" when you right click on Omnis. 

You can also code sign using the commands Omnis laid out in their tech note on notarization from a couple years ago. Those commands contain one command that has the —deep flag specified and that causes it to code sign every file inside Omnis. Phil Potter wrote a method that makes a script containing all the files inside Omnis, and then he runs the above code sign command for every one of those files. I, Das Goravani, have up to now and still, use the —deep command Omnis laid out. 

Here are the code signing commands Omnis laid out.

You have to run these commands in this order. You have to change things to your specifications, ie the paths etc.

1. xattr -cr "/Users/richard/Desktop/Deploying/Jyotish Studio 5/Jyotish Studio 7.5.app"

2. codesign -f -o runtime --entitlements /Users/richard/Desktop/Deploying/extended_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6ZRT5Y7RU)" /Users/richard/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 7.5.app/Contents/Resources/remotedebug/node

3. codesign -f --deep -o runtime --entitlements /Users/richard/Desktop/Deploying/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6ZRT5Y7RU)" /Users/richard/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 7.5.app

4. codesign -f -o runtime --entitlements /Users/richard/Desktop/Deploying/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6ZRT5Y7RU)" /Users/richard/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 7.5.app

5. codesign -vvv --deep --strict /Users/richard/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 7.5.app

The last command will or should give you the message that your file "Satisfies designation requirements".  On all of them it should say "Signed…" and not some error message. 

Here is the contents of the standard entitlements plist

Make a text file with these commands in it and put it somewhere.. note in the code signing commands above you have to change the path to this file to suit your situation. 

Name the file. "standard_entitlements.plist" without the quotes

This is the contents:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> 
    <key>com.apple.security.automation.apple-events</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.device.audio-input</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.personal-information.location</key>
    <true/>
    <key>com.apple.security.personal-information.addressbook</key>
    <true/>
    <key>com.apple.security.personal-information.calendars</key>
    <true/>
    <key>com.apple.security.personal-information.photos-library</key>
    <true/>
</dict> 
</plist>


Now do the same again and name this one

extended_entitlements.plist

Here’s the contents:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> 
    <key>com.apple.security.automation.apple-events</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.device.audio-input</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.personal-information.location</key>
    <true/>
    <key>com.apple.security.personal-information.addressbook</key>
    <true/>
    <key>com.apple.security.personal-information.calendars</key>
    <true/>
    <key>com.apple.security.personal-information.photos-library</key>
    <true/>
    <key>com.apple.security.cs.debugger</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
</dict> 
</plist>

More information about the omnisdev-en mailing list