5

Reading the apple docs about notarization it is not clear if we need to notarize binaries(for example a launch daemon), frameworks or dylibs.

Do we need to also notarize these?

The apple docs can be found here Notarizing Your App Before Distribution

ion
  • 225
  • 3
  • 8

1 Answers1

9

Answering my own question here, maybe it helps someone.

This can be done automatically by Xcode; however if you need to manually configure this(maybe you have Continuous Integration, or w/e) this might help.

According to Apple:

Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components.

If there are no issues, the notary service generates a ticket for you to staple to your software

The notarization will be required for binaries, frameworks, dylibs, apps in future macOS releases.

In order to do this some steps are necessary:

  • add --timestamp to Other Code Signing Flags in Build Settings for each target that produces a binary, framework, dylib or app
  • add --options=runtime to Other Code Signing Flags (for Xcode < 10.2) or Enable Hardened Runtime (for Xcode >= 10.2) in Build Settings
  • code sign everything(dylibs, frameworks, binaries and .apps.)

Next, notarization can be done as follows:

  • include every file that need to be notarized into a .zip file(other supported formats: .dmg, .pkg)
  • upload the supported format to apple notarization service: Ex: xcrun altool --notarize-app -f <path_to_zip_dmg_or_pkg> --primary-bundle-id <bundle_identifier> -u <apple_id> -p @keychain:"Application Loader: <apple_id>" ---> this returns an UUID which will also be sent on the the mail address for the provided <apple_id> after the notarization is done
  • check status and error logs(if any) with xcrun altool --notarization-info <UUID_from_previous_step> -u <apple_id> -p @keychain:"Application Loader: <apple_id>"
  • the error logs can be downloaded with curl LogFileURL, where LogFileURL is returned in the json response of the previous command
  • if everything is fine just staple the notarization using the command xcrun stapler staple -v <path_to_app_dmg_or_pkg>; only app, dmg and pkg can be stapled.

Other useful commands:

  • use codesign -dvvv <path_to_file> to check if codesigning is done, also check the timestamp value
  • use spctl -a -v <path_to_file> to check if stapling is valid
Community
  • 1
  • 1
ion
  • 225
  • 3
  • 8
  • Have you tried this with dylibs, etc. not organized as a Framework bundle? I am able to go through all the steps but Gatekeeper still rejects my ZIP on a fresh machine (in a VM). – chrisdembia Nov 23 '19 at 03:12
  • I have a zip that contain some binaries, dylibs, scripts, makefiles. I have converted that into pkg. Now what I am suppose to do to notarize this pkg? Also, postinstall run launchd command so that PATH var is set without the need of relogin. – SeasonedNoob Sep 07 '20 at 15:18