10

I have an app that is signed, notarized and stapled, then archived into a zip file which is used as the object for my Sparkle updater.

I also distribute it on a DMG image for new users (and is the main download from my website). Can I just put the notarized/stapled app on a DMG, or do I need to go through a separate notarization and staple process for the DMG file?

Trygve
  • 1,317
  • 10
  • 27
  • You need to notarize the DMG also. – Jim Merkel Aug 06 '19 at 01:43
  • So for a simple app I can notarize the .app, archive it to a .zip and make it available for a Sparkle update. Then notarize the .dmg which contains the .app. Will the .app end up with a stapled ticket in that case? I ask because once the .app is copied off the .dmg and the .dmg is ejected/removed, the .app is all that is left and will need to have a ticket if it is to work without an active internet connection. – Trygve Aug 06 '19 at 03:07
  • Yes, that works recursively. Check it with spctl or check the notarization log. – jvarela Aug 06 '19 at 06:03
  • 1
    After notarizing the .dmg, I run "xcrun stapler validate --verbose" on the .dmg and get "The validate action worked", but opening the .dmg and running the same command on the enclosed .app results in "My.app does not have a ticket stapled to it." although spctl -a -v shows that the app is notarized. This seems like a worse situation that just copying the correctly stapled .app to a dmg and not notarizing the .dmg itself. – Trygve Aug 06 '19 at 20:26
  • Are you getting any warning on launch from gatekeeper? – Parag Bafna Aug 21 '19 at 18:24

3 Answers3

7

You only have to notarize the app once:

  1. Create a DMG file with the signed app.
  2. Sign, notarize and staple the DMG file.
  3. Open the DMG file and copy the app outside. Staple it and create an archive for Sparkle [1].

To confirm that the app is notarized run this command:

spctl -a -t exec -vv MyApp.app

And you'll see something like:

MyApp.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Name (ID)

(Notice how the source is "Notarized Developer ID")

You can also confirm that the ticket is stapled by running this command:

xcrun stapler validate MyApp.app

And you'll see this message:

Processing: /path/to/MyApp.app
The validate action worked!

Notarizing the DMG file is enough because the notarization service notarizes any app inside the disk image. From Apple documentation:

Alternatively, you can put apps, kernel extensions, and other software in a container, like a disk image, and notarize the container. The notary service accepts disk images (UDIF format), signed flat installer packages, and ZIP archives. It processes nested containers as well, like packages inside a disk image.

[1] You can use the DMG file for Sparkle too. No need for a second archive. From Sparkle documentation:

Sparkle supports updating from DMG, ZIP archives, tarballs, and installer packages, so you can generally reuse the same archive for distribution of your app on your website as well as Sparkle updates.

Hejazi
  • 16,587
  • 9
  • 52
  • 67
5

From what I read at the Apple docs (see quote below) and from my experience with mine and other apps, it's enough to just notarize the DMG. You don't have to notarize the App first...

"For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle."

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734

ToFi
  • 1,167
  • 17
  • 29
4

You must zip the app, send the zip for notarization, then staple the original app. Then make the dmg with the stapled app, zip the dmg, send it for notarization, staple the dmg, and distribute.

Richard Barber
  • 5,257
  • 2
  • 15
  • 26