A background
- After macOS 10.15, all apps distributed outside the App Store need to be signed and notarized by Apple. Otherwise, after downloading and installing, the prompt "Cannot open" and "Move to Trash" will pop up.
- The company's own cross-platform mac software has been placed on the company's server for download and use. This problem was encountered after macOS 10.15. After many twists and turns, the signature is notarized successfully, as recorded below.
- Because the software is built across platforms, scripts are built and packaged with one click. The solution is mainly focused on command line processing.
- The software is named Dog, dmg package, and part of the description information is replaced by xxxx.
Second signature certificate
- Refer to the official website Create, export, and delete signing certificates
- Support colleagues in the department to process, obtain the signed certificate .p12 file, and install it.
- The certificate can be viewed in the keychain access.
Three signatures
-
Refer to the official website Distribute outside the Mac App Store (macOS)
-
Dog.app signature
- command
// 字符串为证书名称,在 钥匙串访问 中可查看安装的证书 codesign -f -o runtime -s "Developer ID Application: xxxx Ltd. (6LRF78xxxx)" -v Dog.app --deep - Remarks
- When there is no -o runtime parameter above, the following error is encountered during notarization
“The executable does not have the hardened runtime enabled”
- One way to search for data is to handle the Enable Hardened Runtime item in the settings of the XCode project; but because the third-party library used also has the same error, it does not solve the problem. Later, I found a way to add the -o runtime parameter to the signature in a comment on github, and I tried it. Click here to see the last comment.
- When there is no -o runtime parameter above, the following error is encountered during notarization
- command
-
View signature
-
command
spctl --verbose=4 --assess --type execute Dog.app -
Output
// As follows, it is not accepted
Dog.app as mentioned on the Internet at this time : rejected
source=Unnotarized Developer ID
-
-
Dog.dmg signature
- After appdmg generates Dog.dmg, it needs to also sign Dog.dmg.
- The command is the same, Dog.app is replaced by Dog.dmg.
Four notarization
-
The official website has the following description on how to notarize:
For more information about how to use the Xcode UI to upload your software, see Upload a macOS app to be notarized.
For targets other than macOS apps, use the altool command line utility to notarize, as described in Customizing the Notarization Workflow. -
That is, the app package can be uploaded with Xcode UI for notarization. See Upload a macOS app to be notarized for details .
-
For others, for example, Dog.dmg can be uploaded through the altool command line for notarization. See Customizing the Notarization Workflow for details , which provides specific upload commands:
% xcrun altool --notarize-app --primary-bundle-id "com.example.ote.zip" --username "AC_USERNAME" --password "@keychain:AC_PASSWORD" --asc-provider <ProviderShortname> --file OvernightTextEditor_11.6.8.zip -
My use is as follows:
# primary-bundle-id : APP ID ,请咨询签名证书创建者 # username : 开发者账号 ,请咨询签名证书创建者 # password : 应用专用密码(登录 appleid.apple.com ,点击 Generate Password,创建一个应用专用密码,这样可以避免暴露真实的密码。),请咨询签名证书创建者 # asc-provider : 证书提供者(ProviderShortname) ,请咨询签名证书创建者 # file : 公证的软件包路径 xcrun altool --notarize-app --primary-bundle-id "6LRF78xxxx.cn.xxxx.Xixxxx" --username "[email protected]" --password "ayrs-xxxx-xxxx-tjhf" --asc-provider "6LRF78xxxx" -t osx --file "./Dog.dmg"-
Parameters asc-provider
- Searching for information, it is said to be obtained through the command xcrun altool --list-providers -u "apple id" -p "app password", but I always reported an error, and then obtained by executing the following command on the macbook created by the certificate:
security find- identity -p codesigning - The result is
Developer ID Application: xxxxBeijing)Network Technology Co., Ltd. (6LRF78xxx) // 使用的括号内的 6LRF78xxx
- Searching for information, it is said to be obtained through the command xcrun altool --list-providers -u "apple id" -p "app password", but I always reported an error, and then obtained by executing the following command on the macbook created by the certificate:
-
Parameter file
- Test absolute path or relative path
- Can directly notarize dmg, not pkg or zip
-
Output
// 若出现以下信息,则重新尝试 *** Error: An error occurred saving your changes to the Apple database. This problem may be a transient issue on the Apple side. If the problem persists for more than an hour, please contact your iTunes representative. (1129) // 若出现以下信息,则成功上传 No errors uploading './Dog.dmg'. RequestUUID = cb2524dd-f691-xxxx-acc3-8807exxxx864 -
If there is no error in the upload, RequestUUID will be returned to query the notarization result
-
-
Query notarization results
- command
xcrun altool --notarization-info cb2524dd-f691-xxxx-acc3-8807exxxx864 --username "[email protected]" // 同上 --password "ayrs-xxxx-xxxx-tjhf" // 同上- Output
// 若还未处理完毕 No errors getting notarization info. Date: 2020-10-26 07:56:27 +0000 Hash: 13bf499496e371751b127190xxxx489663b890cdfd72c RequestUUID: cb2524dd-f691-xxxx-acc3-8807exxxx864 Status: in progress // 若公证成功 No errors getting notarization info. Date: 2020-10-26 07:56:55 +0000 Hash: 13bf499496e371751b1xxxxc86fd6eddebf489663b890cdfd72c LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma124/v4/c7/56/a0/c756a0cf-b58c-1658-1904-d75e5a7e3c0e/developer_log.json?accessKey=1603893616_8033843945181087xxxx2Cdu3YhDOrVYv4%2FEmd8QWqhlKn1s4u92SbQqAR5mPQhMX66pTtSXi9vFQPWzttmQ60aqxxxxNZVr4ZjTJeV9jie%2BVmIKl0B95SXDKHGOuaYiFteW1opHFS%2FxJCw0CvkOG2RYLagtULbzbxxxxQkUgcc%2Fc%3D RequestUUID: cb2524dd-f691-xxxx-acc3-8807exxxx864 Status: success Status Code: 0 Status Message: Package Approve -
If the app signature is verified again at this time:
sudo spctl --verbose=4 --assess --type execute Dog.app
output is as follows:
Dog.app: accepted // After notarization, it becomes accepted
source=Notarized Developer ID
Five references
- The whole process reference the official website for the app signature to the "access" to verify
- For details, please refer to the article Mac App Signature Notarization Process